Microsoft has released their monthly security offerings, pushing fixes for 23 vulnerabilities. Of the eight bulletins released this month, Redmond is focused on two of them in particular, as they address flaws in Internet Explorer and the Windows XP.
Microsoft says that customers should focus on deploying MS013-059 as soon as possible, as the bulletin fixes eleven vulnerabilities in Internet Explorer, which impact versions 6 to 10, including Windows RT. When it comes to the odds of these flaws being exploited, Microsoft ranked them on the Exploitability Index as "1" — meaning the software giant fully expects these to be targeted within 30-days if not sooner. It should also be noted that this bulletin contains a patch to fix the vulnerability used for the Pwn2Own contest earlier this year.
The second bulletin Microsoft is worried about is MS13-060. This bulletin addresses a single flaw within the Windows operating system, centered on the Unicode Scripts Processor. If targeted, an attacker would be able to remotely execute code, simply by having a user visit a malicious webpage or document that supports embedded OpenType fonts. But there's a catch:
"MS13-060 addresses a font vulnerability in the Bangali font, part of the Indic language pack. [It] can only be exploited in Windows XP [and Server 2003], so your organization might escape this patch if the language pack is not installed or if you are not running on XP anymore," explains Wolfgang Kandek, Qualys' CTO.
"If you are still running on XP and our stats indicate that over 13 percent of you are still on Windows XP, it is time to implement a migration plan to a newer operating system; after all, Windows XP loses its support in April of next year. It will then stop receiving security updates and will quickly deteriorate into an easy target for even inexperienced attackers."
Another patch released this month that will see some attention addresses a flaw in Microsoft Exchange. MS13-061 isn't really something to worry about however, as the fix addresses something patched by Oracle some time ago. The vulnerability Microsoft squashed is found in the third-party library Outside In, all Microsoft has done this month is incorporate Oracle's patches.
For the technical aspect of the flaw, MS13-061 is triggered when a user opens a malicious message in Outlook Web Access (OWA). Microsoft notes that this is a publicly disclosed issue, but most experts don't see it as a serious threat.