This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft fixes Internet Explorer, .Net framework and Silverlight with seven patches

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft released six critical patches on its monthly Patch Tuesday.

Addressing 34 vulnerabilities in Windows, Internet Explorer, .Net Framework, Silverlight, GDI+ and Windows Defender, it recommended patching MS13-055 first, which fixes bugs in Internet Explorer.

Wolfgang Kandek, CTO of Qualys, said a change by Microsoft in the advisory of this bulletin indicates that it has detected exploits against CVE-2013-3163 in Internet Explorer 8.

“CVE-2013-3163 is one of the remote code execution vulnerabilities and is rated ‘critical'; so you should patch as quickly as possible if you are still on IE8,” he said.

Ziv Mador, director of security research at Trustwave, said: “This bulletin fixes 17 common vulnerabilities and exposures (CVEs) and of those, 16 of them are rated critical. If you only apply one patch it should definitely be this one.

“The most severe of these CVEs could allow remote code execution via a specially crafted web page viewed in Internet Explorer. It doesn't matter which version, Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 are all impacted. Most of these vulnerabilities are memory corruption issues and one is a cross-site scripting issue.

Ross Barrett, senior manager of security engineering at Rapid7, highlighted this patch and also MS13-053, a Windows patch that applies to all versions of the OS. He said: “The top two patching priorities are the kernel issue (MS13-053) and the Internet Explorer patch bundle (MS13-055). These are both priority one, according to Microsoft, with MS13-052, MS13-054, MS13-056, and MS13-057 all coming in at priority two.

“Remember that patching priority and a ‘critical' rating from Microsoft factors in exploitability and if the vulnerability has been responsibly disclosed. Some of the vulnerabilities patched in MS13-052 and MS13-053 are known to be under active exploitation in the wild but exploitation is considered unlikely, whereas some of the responsibly disclosed issues in Internet Explorer are considered likely for exploitation now that the patch is out.”

Barrett also said that for the first time ever, Microsoft is addressing a single CVE (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054).

“This issue relates to TrueType font processing and legitimately affects different components. By splitting this out, Microsoft is directly addressing a complaint about previous ‘rolled up' advisories where it was difficult to properly prioritise the multiple patches required to remediate the problem, and component patches were frequently missed,” he said.

Looking at MS13-053, Kandek said: “The most likely attack vector is through users browsing a malicious web page or opening an infected document, which results in remote code execution that gives control of the affected machine to the attacker.

“The second high profile vulnerability is CVE-2013-3660, a local Windows zero-day, which got its start by a post from researcher Tavis Ormandy on the ‘full disclosure' mailing list, and which soon after had several implementations published in underground forums and in security research tools such as Metasploit and Core Impact.”

Looking at MS13-052, Mador said: “This bulletin has to fix quite a bit of stuff: including how the .Net Framework handles multi-dimensional arrays of small structures, validates the permissions of objects performing reflection, allocates object arrays, and handles partial trust vulnerabilities among other things. So much stuff you may be offered multiple updates depending on what versions of stuff you have installed.”

The remaining critical bulletins are MS13-057 (Windows Media), which is triggered by a malicious media file, and MS13-058 (DirectShow), which fixes a vulnerability CVE-2013- in the gif graphics format.

“MS13-058 is lowest on our list, since there is no Microsoft product using the vulnerable gif function. However, third-party applications are potentially affected,” Kandek said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

VC cyber security funding tops £850 million

VC cyber security funding tops £850 million

A new study from US-based research firm CBI Insights reveals that corporate cyber security investments have risen five-fold since 2009, with 30 percent growth in the last year alone.

Russian/Chinese cyber-security pact raises concerns

Russian/Chinese cyber-security pact raises concerns

News that Russia and China are set to sign a cyber-security treaty next month have left Western cyber experts unsure whether it is a threat or a promising development.

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.