This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft issues seven bulletins for Patch Tuesday, but nothing for Pwn2Own vulnerability

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft released seven bulletins last night, containing four patches rated as critical, to fix 20 vulnerabilities.

The patches fix flaws in Windows, Office, Internet Explorer, Server Tools and Silverlight. Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, said that it recommended deploying MS13-021, MS13-022and MS13-027 first.

MS13-021 is the Internet Explorer patch and resolves nine issues in the browser, the most severe of which could allow remote code execution if a user views a specially crafted web page using Explorer.

Marc Maiffret, CTO of BeyondTrust, said: “This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers.”

Ziv Mador, director of security research at Trustwave, said: “This bulletin covers nine CVE's, eight of these were reported privately to Microsoft but one of them, and we suspect the one that is out of CVE numerical order, was publicly disclosed. As we suspected last week, all of them are use after free vulnerabilities in various parts of Internet Explorer.”

Microsoft also recommended the Silverlight patch be installed rapidly. This fixes a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application.

Wolfgang Kandek, CTO of Qualys, said: “This patch for Silverlight addresses three flaws that can be used to take control of both Windows and Mac OS X computers. 

Mador said: “This is something you usually see in Linux and not so often in Windows, at least not since the introduction of function pointer encoding in XP SP2. This one could require a little social engineering to exploit.

“Both Mac and Windows versions of Silverlight 5 are vulnerable, but not the current build 5.1.10411.0, which already addresses this vulnerability and is not impacted.  Microsoft does expect exploit code to be developed for this fairly soon so it is best to allow auto update to do its thing and install the patch.”

The final patch Microsoft recommended focusing on is the important-rated MS13-027, which resolves three issues in Microsoft Windows that could allow elevation of privilege if an attacker gains access to a system. It said that in a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system.

Mador said: “The flaw exists in all supported versions of Windows from XP SP2 up to Server 2012. Since the problem exists in the USB drivers you could try to prevent users from using USB devices, which these days would probably mean taking away their keyboard and mouse.”

The other two critical patches are MS13-023 that fixes a vulnerability in the Visio Viewer that could be exploited by convincing users to open seemingly legitimate email attachments, and MS13-024 that patches an elevation of privilege flaw in SharePoint.

Despite these, Microsoft did not issue a patch for the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own. Andrew Storms, director of security operations at nCircle, said: “Unfortunately, this month's update doesn't include the IE 10 bug disclosed at the CanSec West Pwn2Own competition, but with Microsoft's commitment to rapid response on IE vulnerabilities, I'm sure we can expect that fix next month.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

UK police arrest trio over £1.6 million cyber theft from cash machines

UK police arrest trio over £1.6 million cyber ...

London Police have arrested three suspected members of an Eastern European cyber-crime gang who installed malware on more than 50 bank ATM machines across the UK to steal £1.6 million.

Password recovery made too easy

Password recovery made too easy

A senior malware analyst has slammed the availability of a `password recovery' utility from Freehostia, noting that the software actually uses network admin utilities to take credentials from the users' ...

Belgacom says alleged GCHQ APT attack cost firm £12 million

Belgacom says alleged GCHQ APT attack cost firm ...

One year on from a nation-state APT which 124 systems at telecom operator Belgacom and the firm has detailed the cost and manpower involved in the clean-up operation.