Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patch Tuesday Fixes 23 Security Vulnerabilities

Microsoft released fixes for 23 security vulnerabilities today including critical patches for Internet Explorer and Windows.

The fixes are spread across eight security bulletins. Three of them – covering issues in Internet Explorer (IE), Exchange and Windows – are rated ‘Critical.’ The remaining five are classified as ‘Important.’

Microsoft released fixes for 23 security vulnerabilities today including critical patches for Internet Explorer and Windows.

The fixes are spread across eight security bulletins. Three of them – covering issues in Internet Explorer (IE), Exchange and Windows – are rated ‘Critical.’ The remaining five are classified as ‘Important.’

“For those who need to prioritize deployment, we recommend focusing on MS13-059 (Internet Explorer) and MS13-060 (Windows) first,” blogged Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing.

The IE update closes 11 security holes in the browser that so far are not known to have come under attack. Virtually all of the issues however could allow a hacker to remotely execute code if the user is tricked into viewing specially-crafted content. Among these is a vulnerability exploited by researchers earlier this year at the Pwn2Own competition at the CanSecWest security conference.

MS13-060 addresses a vulnerability in the Unicode Scripts Processor included in Windows that, if exploited, could allow remote code execution provided the user viewed a specially-crafted document or Webpage with an application that supports embedded OpenType fonts.

“An attacker who successfully exploited this vulnerability could gain the same user rights as the current user,” according to Microsoft’s advisory. “Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The vulnerability only affects XP and Server 2003 installations, noted BeyondTrust CTO Marc Maiffret.

“Because this vulnerability lies within a shared component found in the operating system, used by third party applications, the attack vectors are far more widespread,” he said. “Any application that exposes the vulnerable portion of the Unicode Scripts Processor is susceptible to exploitation by attackers. The most likely attack vectors would be via a crafted document to be opened by an application, which would exploit the vulnerability and allow the attacker’s code to execute on the vulnerable system. Make sure to roll this patch out as soon as you can.”

The final critical bulletin is MS13-061, which resolves three publicly disclosed vulnerabilities in Microsoft Exchange Server. According to Microsoft, the vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).

“Two of the three vulnerabilities addressed in this bulletin, CVE-2013-2393 and CVE-2013-3776, exist in Exchange Server 2007, Exchange Server 2010, and Exchange Server 2013 through the WebReady Document Viewing feature,” Microsoft notes in the advisory. “The vulnerabilities could allow remote code execution as the LocalService account if a user views a specially crafted file through Outlook Web Access in a browser. An attacker who successfully exploited this vulnerability could run code on the affected Exchange Server, but only as the LocalService account. The LocalService account has minimum privileges on the local computer and presents anonymous credentials on the network.”

The remaining bulletins address issues in Windows, including MS13-063, which closes another hole exposed at the CanSecWest conference (CVE-2013-2556). 

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.