CONFERENCE Cyber AI & Automation Summit - Watch Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Patches Nearly Three Dozen Security Vulnerabilities

Microsoft released 10 security bulletins today, including two critical bulletins that address vulnerabilities in Internet Explorer [IE].

Microsoft released 10 security bulletins today, including two critical bulletins that address vulnerabilities in Internet Explorer [IE].

The larger of the two IE updates resolves 11 privately-disclosed vulnerabilities, the most severe of which could allow remote code execution if a user views a specially-crafted webpage using Internet Explorer. The second of the IE updates – MS13-038 – closes a security hole being poked at by hackers in the wild through waterhole attacks targeting users of IE8. A use-after-free vulnerability, the flaw exists in the way that IE accesses an object in memory that has been deleted or has not been properly allocated.  

To exploit it, the attacker would have to get the victim to navigate to a compromised website. If the attacker is successful, the vulnerability can be used by an attacker to remotely execute code. The bug was spotted earlier this month being used to compromise visitors to the U.S. Department of Labor website.

“On one level, this is Microsoft at their security best,” said Ross Barrett, senior manager of security engineering at Rapid7. “They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft’s patching and support models.”

“Compare this to Google’s Chrome browser, which quietly patches itself as fixes become available and has no down-level supported “old version,” which exposes millions of their users to risk,” he continued. “Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it’s users to the same model as Chrome. Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.”

Outside of the IE bulletins, this month’s Patch Tuesday touches on Microsoft Windows, Microsoft Office, Server and Tools and .NET Framework. 

“It’s very important for organizations to update the three “Important” kernel escalation of privilege vulnerabilities,” said Kaspersky Lab Senior Security Researcher Kurt Baumgartner, referring to MS13-046. “While these have not yet been known to be publicly exploited, EoP [escalation of privilege] are actively deployed for post-exploitation purposes and are a significant part of any infiltration exercise.”

Organizations should also pay attention to MS13-039, a denial-of-service vulnerability in Windows 8, Server 2012 and RT.

Advertisement. Scroll to continue reading.

 “The Server 2012 web server denial of service is a big deal. You can very easily Denial of Service these systems with a very simple web request,” said BeyondTrust CTO Marc Maiffret. “Once a system has been hit by this Denial of Service you can only fix the system by doing a full reboot.”

Besides the Microsoft updates, Adobe Systems also patched several vulnerabilities affecting Adobe Flash Player, Reader, Acrobat and ColdFusion. According to Adobe, one of the ColdFusion vulnerabilities (CVE-2013-3336) is currently being exploited in the wild and can be used to allow an unauthorized user to remotely retrieve files stored on the server. Adobe is not aware of any attacks targeting the Reader, Acrobat and Flash Player vulnerabilities patched in the updates. 

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Shanta Kohli has been named CMO at Sysdig.

Cloud security firm Sysdig has appointed Sergej Epp as CISO.

F5 has appointed John Maddison as Chief Product Marketing and Technology Alliances Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.