With US Thanksgiving around the corner, Microsoft has released its monthly allotment of patches.
Before addressing this month’s updates, one important note is that the November 5 Microsoft Security Advisory (2896666) CVE-2013-3906 is not included in this Patch Tuesday. This unpatched remote code execution vulnerability specifically addresses how one of the Microsoft Graphics components within Microsoft Windows, Microsoft Office, and Microsoft Lync handles TIFF images. The key to this attack is convincing a user to open an email message, file, or webpage which contains the image giving the adversary the same rights as the current logged in user. Currently, McAfee has protection with Virus Scan Enterprise, Network Security Platform, and McAfee Vulnerability Manager. For more information about this threat please see here.
Moving on to this month’s updates, this Patch Tuesday, Microsoft has released eight patches addressing 19 individual vulnerabilities. Of the eight patches released, three are identified by Microsoft as “critical”. The remaining patches are labeled “important” by Microsoft. This month’s patches are as follows:
- MS13-088 Cumulative Security Update for Internet Explorer (2888505)
- MS13-089 Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331)
- MS13-090 Cumulative Security Update of ActiveX Kill Bits (2900986)
- MS13-091 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)
- MS13-092 Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986)
- MS13-093 Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783)
- MS13-094 Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514)
- MS13-095 Vulnerability in Digital Signatures Could Allow Denial of Service (2868626)
Looking over the patches, I would like to highlight the following three critical updates:
The first highlighted patch is listed as critical for Windows XP, Vista, 7, 8, 8.1, and RT. For all supported editions of Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2, this security update is listed as moderate. This privately reported vulnerability is currently being exploited by malicious content creators and is recommended to be patched ASAP. The vulnerability could allow remote code execution if a user views a webpage with Internet Explorer, initiating the ActiveX. This patch should be the top priority of your patching cycle this month if you have these versions of Windows in your environment.
The second update consists of patches for 10 critical remote execution vulnerabilities found in all currently supported versions of Internet Explorer including the latest, IE 11. The security update fixes eight memory corruption issues, along with two flaws that could allow information disclosure. As with most browser-based attacks, the trajectory for this vulnerability would be a malicious webpage or possibly sent to the victim in a spear-phishing email. Though there no known uses of these vulnerabilities, with the recent release of this patch it will be only a short time before an adversary takes advantage. This patch should be the top priority of your patching cycle this month.
Thirdly, I would like to highlight patches for vulnerabilities found in all versions of supported Windows from XP to the 2012 Server including the RT version of Windows for tablets. This security update fixes a vulnerability that could allow remote code execution if a user views or opens a malicious Windows Write file in the built-in Windows application WordPad. Once opened in WordPad, the malicious picture file modifies the way that the Graphics Device Interface handles image files, giving the attacker the same access as the current logged on user. While this vulnerability requires the seldom-used application WinWord to execute its malicious content, I would still recommend patching this as soon as possible.
Aggregate coverage (combining host and network-based countermeasure together) is 14 out of 19. McAfee Vulnerability manager has the ability to scan and detect all 19 vulnerabilities. Specifically, coverage for all of the three most critical (MS13-088, MS13-90, and MS13-089) related vulnerabilities are covered by the following McAfee endpoint security software and NSP (McAfee IPS):
- BOP (Buffer Overflow Protection ww/ VSE)
- App Control
Additional research is being performed 24/7 by McAfee Labs and coverage may improve as more results come in. As further details become available, you’ll find them on the McAfee Threat Center. You may also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.
Finally, in case you’re interested, these briefings are archived for further reading.