This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft issues seven bulletins for Patch Tuesday, but nothing for Pwn2Own vulnerability

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft released seven bulletins last night, containing four patches rated as critical, to fix 20 vulnerabilities.

The patches fix flaws in Windows, Office, Internet Explorer, Server Tools and Silverlight. Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, said that it recommended deploying MS13-021, MS13-022and MS13-027 first.

MS13-021 is the Internet Explorer patch and resolves nine issues in the browser, the most severe of which could allow remote code execution if a user views a specially crafted web page using Explorer.

Marc Maiffret, CTO of BeyondTrust, said: “This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers.”

Ziv Mador, director of security research at Trustwave, said: “This bulletin covers nine CVE's, eight of these were reported privately to Microsoft but one of them, and we suspect the one that is out of CVE numerical order, was publicly disclosed. As we suspected last week, all of them are use after free vulnerabilities in various parts of Internet Explorer.”

Microsoft also recommended the Silverlight patch be installed rapidly. This fixes a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application.

Wolfgang Kandek, CTO of Qualys, said: “This patch for Silverlight addresses three flaws that can be used to take control of both Windows and Mac OS X computers. 

Mador said: “This is something you usually see in Linux and not so often in Windows, at least not since the introduction of function pointer encoding in XP SP2. This one could require a little social engineering to exploit.

“Both Mac and Windows versions of Silverlight 5 are vulnerable, but not the current build 5.1.10411.0, which already addresses this vulnerability and is not impacted.  Microsoft does expect exploit code to be developed for this fairly soon so it is best to allow auto update to do its thing and install the patch.”

The final patch Microsoft recommended focusing on is the important-rated MS13-027, which resolves three issues in Microsoft Windows that could allow elevation of privilege if an attacker gains access to a system. It said that in a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system.

Mador said: “The flaw exists in all supported versions of Windows from XP SP2 up to Server 2012. Since the problem exists in the USB drivers you could try to prevent users from using USB devices, which these days would probably mean taking away their keyboard and mouse.”

The other two critical patches are MS13-023 that fixes a vulnerability in the Visio Viewer that could be exploited by convincing users to open seemingly legitimate email attachments, and MS13-024 that patches an elevation of privilege flaw in SharePoint.

Despite these, Microsoft did not issue a patch for the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own. Andrew Storms, director of security operations at nCircle, said: “Unfortunately, this month's update doesn't include the IE 10 bug disclosed at the CanSec West Pwn2Own competition, but with Microsoft's commitment to rapid response on IE vulnerabilities, I'm sure we can expect that fix next month.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.