This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft fixes Internet Explorer, .Net framework and Silverlight with seven patches

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft released six critical patches on its monthly Patch Tuesday.

Addressing 34 vulnerabilities in Windows, Internet Explorer, .Net Framework, Silverlight, GDI+ and Windows Defender, it recommended patching MS13-055 first, which fixes bugs in Internet Explorer.

Wolfgang Kandek, CTO of Qualys, said a change by Microsoft in the advisory of this bulletin indicates that it has detected exploits against CVE-2013-3163 in Internet Explorer 8.

“CVE-2013-3163 is one of the remote code execution vulnerabilities and is rated ‘critical'; so you should patch as quickly as possible if you are still on IE8,” he said.

Ziv Mador, director of security research at Trustwave, said: “This bulletin fixes 17 common vulnerabilities and exposures (CVEs) and of those, 16 of them are rated critical. If you only apply one patch it should definitely be this one.

“The most severe of these CVEs could allow remote code execution via a specially crafted web page viewed in Internet Explorer. It doesn't matter which version, Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 are all impacted. Most of these vulnerabilities are memory corruption issues and one is a cross-site scripting issue.

Ross Barrett, senior manager of security engineering at Rapid7, highlighted this patch and also MS13-053, a Windows patch that applies to all versions of the OS. He said: “The top two patching priorities are the kernel issue (MS13-053) and the Internet Explorer patch bundle (MS13-055). These are both priority one, according to Microsoft, with MS13-052, MS13-054, MS13-056, and MS13-057 all coming in at priority two.

“Remember that patching priority and a ‘critical' rating from Microsoft factors in exploitability and if the vulnerability has been responsibly disclosed. Some of the vulnerabilities patched in MS13-052 and MS13-053 are known to be under active exploitation in the wild but exploitation is considered unlikely, whereas some of the responsibly disclosed issues in Internet Explorer are considered likely for exploitation now that the patch is out.”

Barrett also said that for the first time ever, Microsoft is addressing a single CVE (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054).

“This issue relates to TrueType font processing and legitimately affects different components. By splitting this out, Microsoft is directly addressing a complaint about previous ‘rolled up' advisories where it was difficult to properly prioritise the multiple patches required to remediate the problem, and component patches were frequently missed,” he said.

Looking at MS13-053, Kandek said: “The most likely attack vector is through users browsing a malicious web page or opening an infected document, which results in remote code execution that gives control of the affected machine to the attacker.

“The second high profile vulnerability is CVE-2013-3660, a local Windows zero-day, which got its start by a post from researcher Tavis Ormandy on the ‘full disclosure' mailing list, and which soon after had several implementations published in underground forums and in security research tools such as Metasploit and Core Impact.”

Looking at MS13-052, Mador said: “This bulletin has to fix quite a bit of stuff: including how the .Net Framework handles multi-dimensional arrays of small structures, validates the permissions of objects performing reflection, allocates object arrays, and handles partial trust vulnerabilities among other things. So much stuff you may be offered multiple updates depending on what versions of stuff you have installed.”

The remaining critical bulletins are MS13-057 (Windows Media), which is triggered by a malicious media file, and MS13-058 (DirectShow), which fixes a vulnerability CVE-2013- in the gif graphics format.

“MS13-058 is lowest on our list, since there is no Microsoft product using the vulnerable gif function. However, third-party applications are potentially affected,” Kandek said.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Chinese hackers steal confidential documents on Israeli missile defence system

Chinese hackers steal confidential documents on Israeli missile ...

Chinese hackers comprised the computer systems of three Israeli defence contractors between 10 October 2011 and 13 August 2012 in order to steal hundreds on confidential documents on Israel's Iron ...

Security researcher finds exploitable flaws in 14 antivirus engines

Security researcher finds exploitable flaws in 14 antivirus ...

Joxean Koret, a security researcher at Singapore-based consultancy COSEINC, has found exploitable local and remote flaws in 14 of the 17 major antivirus (AV) engines used by most major AV ...

Russian government promises £60k bounty to Tor hackers

Russian government promises £60k bounty to Tor hackers

The Russian Ministry of Internal Affairs (MVD) is offering a 3.9 million ruble (approximately £64,600) reward to anyone who can find a way of identifying and tracking users of the ...