Microsoft released 10 security bulletins today, including two critical bulletins that address vulnerabilities in Internet Explorer [IE].
The larger of the two IE updates resolves 11 privately-disclosed vulnerabilities, the most severe of which could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer. The second of the IE updates – MS13-038 – closes a security hole being poked at by hackers in the wild through waterhole attacks targeting users of IE8. A use-after-free vulnerability, the flaw exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated.
To exploit it, the attacker would have to get the victim to navigate to a compromised website. If the attacker is successful, the vulnerability can be used by an attacker to remotely execute code. The bug was spotted earlier this month being used to compromise visitors to the U.S. Department of Labor website.
“On one level, this is Microsoft at their security best,” said Ross Barrett, senior manager of security engineering at Rapid7. “They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft’s patching and support models.”
“Compare this to Google’s Chrome browser, which quietly patches itself as fixes become available and has no down-level supported “old version,” which exposes millions of their users to risk,” he continued. “Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it’s users to the same model as Chrome. Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.”
Outside of the IE bulletins, this month’s Patch Tuesday touches on Microsoft Windows, Microsoft Office, Server and Tools and .NET Framework.
“It’s very important for organizations to update the three “Important” kernel escalation of privilege vulnerabilities,” said Kaspersky Lab Senior Security Researcher Kurt Baumgartner, referring to MS13-046. “While these have not yet been known to be publicly exploited, EoP [escalation of privilege] are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise.”
Organizations should also pay attention to MS13-039, a denial-of-service vulnerability in Windows 8, Server 2012 and RT.
“The Server 2012 web server denial of service is a big deal. You can very easily Denial of Service these systems with a very simple web request,” said BeyondTrust CTO Marc Maiffret. “Once a system has been hit by this Denial of Service you can only fix the system by doing a full reboot.”
Besides the Microsoft updates, Adobe Systems also patched several vulnerabilities affecting Adobe Flash Player, Reader, Acrobat and ColdFusion. According to Adobe, one of the ColdFusion vulnerabilities (CVE-2013-3336) is currently being exploited in the wild and can be used to allow an unauthorized user to remotely retrieve files stored on the server. Adobe is not aware of any attacks targeting the Reader, Acrobat and Flash Player vulnerabilities patched in the updates.