November 2013 Patch Tuesday: Microsoft fixes 19 vulnerabilities

As part of their monthly patch cycle, Microsoft has released eight security bulletins this month, which address 19 vulnerabilities in Windows and Office. Overall, it’s a modest round of patching, but it does include a fix for one of the two publicly known Zero-Day vulnerabilities in Internet Explorer.

Microsoft delivered on their promise that I wrote about yesterday, and patched one of the known Internet Explorer Zero-Day vulnerabilities in MS13-090. The flaw was being used by attackers to deliver diskless malware, and is ranked as critical by Redmond. The other Zero-Day, which focuses on TIFF rendering, remains unpatched. However, there are mitigations that can be used to address it in the mean time.

In addition to MS13-090, experts agree that two other patches need to be a priority:

MS13-088 – This bulletin addresses 10 vulnerabilities within Internet Explorer, from versions 6 through 11. Two of them are information disclosure bugs, but eight of them are browse and get owned bugs, due to memory corruption issues. When it comes to exploit code, there is nothing in the wild yet, but Microsoft says that these issues are likely to be exploited.

MS13-089 – This bulletin fixes a problem with GDI that impacts every version of the operating system from Windows XP to Windows 8.1. It’s not a browse and get owned issue like those addressed in the Internet Explorer patches, but this bug can be leveraged in social engineering attacks. All an attacker needs to do is convince a victim to open a malicious WordPad document. Again, Microsoft says that this issue is likely to be exploited sooner rather than later.

Another patch that might be considered a priority (assuming it applies to your organization), singled out by Marc Maiffret, the CTO of BeyondTrust, is MS13-092. The patch fixes an elevation of privilege problem in Hyper-V, but it only impacts Windows 8 and Server 2012, so Windows 8.1 and Server 2012 R2 are not affected.

Once an attacker has access to a guest VM within a Hyper-V host, exploiting the vulnerability would do one of two things; crash the host system (creating a DoS situation), or execute code on another guest running on the affected host machine.

“The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts,” Maiffret said in an email.

Qualys CTO, Wolfgang Kandek also noted that Microsoft updated KB2755801, which indicates that it will be delivering a new version of Adobe’s Flash player. Adobe patched two vulnerabilities on Tuesday that if exploited could lead to code execution in some cases.

“Overall, while it is only a medium-sized Patch Tuesday, pay special attention to the two 0-days and the Internet Explorer update. Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets,” Kandek said in an emailed statement.

The full breakdown of patches released this month can be viewed here. Commentary from Microsoft is available on the MSRC blog.