Microsoft Plugs IE Zero-day in Patch Tuesday Update

Microsoft released eight security bulletins – including four rated Critical – to address 26 vulnerabilities in Windows, Internet Explorer and other products in this month’s Patch Tuesday.

Among the vulnerabilities is a critical IE zero-day that Microsoft warned about last month. Already, the bug has been observed being exploited in multiple attack campaigns targeted Internet Explorer users around the world.

“If your job depends on securing systems running Windows, you should be eagerly awaiting the patch for the Internet Explorer (IE) 0-day (CVE-2013-3893: SetMouseCapture Use-After-Free) vulnerability in today’s Patch Tuesday (MS13-080),” said Ross Barrett, senior manager of security engineering at Rapid7. “Exploitation of this vulnerability was detected first in targeted, regionally restricted exploitation, and then later in broader use once the exploit code spread to various public sites. Hopefully users have applied the Microsoft FixIt and/or EMET mitigations, and maybe even tested them with the Metasploit module that came out last week.”

All totaled, the IE bulletin (MS13-080) addresses 10 separate issues. Beyond that, Microsoft recommends customers focus on MS13-081 and MS13-083. MS13-081 is aimed at seven vulnerabilities in Windows, the most severe of which could allow remote code execution if a user views a malicious webpage with specially-crafted OpenType fonts. MS13-083 meanwhile fixes a separate remote code execution issue in Widows affecting vulnerable that are systems accessible via an ASP.NET web application that receives a specially-crafted request.

“MS13-083 looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net web pages,” Barrett said. “This is a genuine article; a real, honest to goodness, potentially “wormable” condition. If the “bad guys” figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested. However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation.”

Craig Young, security researcher at Tripwire, said that administrators should consider deploying MS13-083 even on servers that do not typically open RTF documents.

“The underlying flaw is within common controls that can potentially be attacked through means other than maliciously crafted RTF documents,” he said. “Another aspect of this bug which raises the importance of this update is that RTF exploits tend to provide a vector for the bypass of Address Space Layout Randomization (ASLR).  ASLR is a mitigation technology which makes it more difficult for an attacker to pre-determine memory address information needed to build a functional exploit.

 The fourth critical bulletin is MS13-082, which addresses three vulnerabilities in Microsoft’s .NET Framework. The most serious of these vulnerabilities enables an attacker to remotely execute code if a user visits a website containing a malicious OpenType font file using a browser capable of instantiating XBAP applications.

In addition to the critical bulletins are four that Microsoft has classified as ‘Important.’ This includes vulnerabilities in Microsoft SharePoint Server, Microsoft Excel, Microsoft Word and Microsoft Silverlight.

In addition to the Microsoft fixes, Adobe Systems also issued two security bulletins today as well. The patches from Adobe address critical issues related to Adobe Reader and Acrobat as well as Adobe RoboHelp. The vulnerabilities are unrelated to the announcements last week regarding the theft of Adobe customer data and source code, and none of the vulnerabilities are known to be under attack, according to the company.