Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Microsoft Plugs IE Zero-day in Patch Tuesday Update

Microsoft released eight security bulletins – including four rated Critical – to address 26 vulnerabilities in Windows, Internet Explorer and other products in this month’s Patch Tuesday.

Microsoft released eight security bulletins – including four rated Critical – to address 26 vulnerabilities in Windows, Internet Explorer and other products in this month’s Patch Tuesday.

Among the vulnerabilities is a critical IE zero-day that Microsoft warned about last month. Already, the bug has been observed being exploited in multiple attack campaigns targeted Internet Explorer users around the world.

“If your job depends on securing systems running Windows, you should be eagerly awaiting the patch for the Internet Explorer (IE) 0-day (CVE-2013-3893: SetMouseCapture Use-After-Free) vulnerability in today’s Patch Tuesday (MS13-080),” said Ross Barrett, senior manager of security engineering at Rapid7. “Exploitation of this vulnerability was detected first in targeted, regionally restricted exploitation, and then later in broader use once the exploit code spread to various public sites. Hopefully users have applied the Microsoft FixIt and/or EMET mitigations, and maybe even tested them with the Metasploit module that came out last week.”

All totaled, the IE bulletin (MS13-080) addresses 10 separate issues. Beyond that, Microsoft recommends customers focus on MS13-081 and MS13-083. MS13-081 is aimed at seven vulnerabilities in Windows, the most severe of which could allow remote code execution if a user views a malicious webpage with specially-crafted OpenType fonts. MS13-083 meanwhile fixes a separate remote code execution issue in Widows affecting vulnerable that are systems accessible via an ASP.NET web application that receives a specially-crafted request.

“MS13-083 looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net web pages,” Barrett said. “This is a genuine article; a real, honest to goodness, potentially “wormable” condition. If the “bad guys” figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested. However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation.”

Craig Young, security researcher at Tripwire, said that administrators should consider deploying MS13-083 even on servers that do not typically open RTF documents.

“The underlying flaw is within common controls that can potentially be attacked through means other than maliciously crafted RTF documents,” he said. “Another aspect of this bug which raises the importance of this update is that RTF exploits tend to provide a vector for the bypass of Address Space Layout Randomization (ASLR).  ASLR is a mitigation technology which makes it more difficult for an attacker to pre-determine memory address information needed to build a functional exploit.

 The fourth critical bulletin is MS13-082, which addresses three vulnerabilities in Microsoft’s .NET Framework. The most serious of these vulnerabilities enables an attacker to remotely execute code if a user visits a website containing a malicious OpenType font file using a browser capable of instantiating XBAP applications.

In addition to the critical bulletins are four that Microsoft has classified as ‘Important.’ This includes vulnerabilities in Microsoft SharePoint Server, Microsoft Excel, Microsoft Word and Microsoft Silverlight.

In addition to the Microsoft fixes, Adobe Systems also issued two security bulletins today as well. The patches from Adobe address critical issues related to Adobe Reader and Acrobat as well as Adobe RoboHelp. The vulnerabilities are unrelated to the announcements last week regarding the theft of Adobe customer data and source code, and none of the vulnerabilities are known to be under attack, according to the company.

Written By

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.