Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Nearly Three Dozen Security Vulnerabilities

Microsoft released 10 security bulletins today, including two critical bulletins that address vulnerabilities in Internet Explorer [IE].

Microsoft released 10 security bulletins today, including two critical bulletins that address vulnerabilities in Internet Explorer [IE].

The larger of the two IE updates resolves 11 privately-disclosed vulnerabilities, the most severe of which could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer. The second of the IE updates – MS13-038 – closes a security hole being poked at by hackers in the wild through waterhole attacks targeting users of IE8. A use-after-free vulnerability, the flaw exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated.  

To exploit it, the attacker would have to get the victim to navigate to a compromised website. If the attacker is successful, the vulnerability can be used by an attacker to remotely execute code. The bug was spotted earlier this month being used to compromise visitors to the U.S. Department of Labor website.

“On one level, this is Microsoft at their security best,” said Ross Barrett, senior manager of security engineering at Rapid7. “They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft’s patching and support models.”

“Compare this to Google’s Chrome browser, which quietly patches itself as fixes become available and has no down-level supported “old version,” which exposes millions of their users to risk,” he continued. “Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it’s users to the same model as Chrome. Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.”

Outside of the IE bulletins, this month’s Patch Tuesday touches on Microsoft Windows, Microsoft Office, Server and Tools and .NET Framework. 

“It’s very important for organizations to update the three “Important” kernel escalation of privilege vulnerabilities,” said Kaspersky Lab Senior Security Researcher Kurt Baumgartner, referring to MS13-046. “While these have not yet been known to be publicly exploited, EoP [escalation of privilege] are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise.”

Organizations should also pay attention to MS13-039, a denial-of-service vulnerability in Windows 8, Server 2012 and RT.

 “The Server 2012 web server denial of service is a big deal. You can very easily Denial of Service these systems with a very simple web request,” said BeyondTrust CTO Marc Maiffret. “Once a system has been hit by this Denial of Service you can only fix the system by doing a full reboot.”

Besides the Microsoft updates, Adobe Systems also patched several vulnerabilities affecting Adobe Flash Player, Reader, Acrobat and ColdFusion. According to Adobe, one of the ColdFusion vulnerabilities (CVE-2013-3336) is currently being exploited in the wild and can be used to allow an unauthorized user to remotely retrieve files stored on the server. Adobe is not aware of any attacks targeting the Reader, Acrobat and Flash Player vulnerabilities patched in the updates. 

Written By

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.