This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft releases five patches with one critical fix for Internet Explorer

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft released five bulletins on its June Patch Tuesday, fixing one critical vulnerability in Internet Explorer.

The bulletins fix 23 vulnerabilities in Windows, Office and Internet Explorer, and Microsoft recommended focusing on MS13-047 and MS13-051 first, the critical issue and a remote code execution flaw in Office.

BeyondTrust CTO Marc Maiffret said: “MS13-047 addresses 19 vulnerabilities in Internet Explorer, including 18 generic memory corruption vulnerabilities and one memory corruption caused by a script debugging vulnerability. Four out of these 19 vulnerabilities (CVE-2013-3112,CVE-2013-3113CVE-2013-3121, and CVE-2013-3142) affect every supported version of Internet Explorer, so attackers will be targeting these vulnerabilities prior to attempting to exploit any of the others.”

Ziv Mador, director of security research at Trustwave, said: “It is rare only having one bulletin in an entire release that contains more than one CVE. However, it is also unusual for one bulletin having at least 18 of them.

“Similar to last month, Internet Explorer is plagued with more critical vulnerabilities, which appear to be caused from memory corruption issues. Many of the CVEs appear to suffer from use-after-free vulnerabilities, which could allow arbitrary code to be executed and/or cause denial-of-service conditions. However, there are many CVEs in here that can result in remote code execution, which is definitely something to worry about especially when it affects a browser.”

Paul Henry, security and forensic analyst at Lumension, said: “Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system. An attacker could not get in without some user participation.”

Looking at bulletin MS13-051, Wolfgang Kandek, CTO of Qualys, said that this patch for Microsoft Office 2003 on Windows and 2011 for Mac OS X addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild.

“The attack arrives in an Office document and is triggered when the user opens the document. Microsoft rates it only as ‘important' because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward,” he said.

Mador said: “Microsoft Office 2003 SP3 and/or Microsoft for Mac 2011 users should pay particularly close attention to this vulnerability since an attacker could specially craft an Office document that could potentially allow remote code execution conditions. This includes a user viewing a specially crafted email message in Outlook. This vulnerability could especially be risky for those users who always login under an administrator privilege account since this exploit could be used for escalated privileges.”

The other fixes are: MS13-048 for an information disclosure vulnerability; MS13-049 for a denial-of-service problem in the TCP/IP stack of newer Windows systems (Vista+); and MS13-050 for a local privilege escalation vulnerability in Windows print spooler.

Kandek also pointed out that a fix was not issued for the vulnerability that a Google engineer recently published an exploit for on the full-disclosure mailing list.

He said: “The zero-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud

Exclusive video webcast & Q&A sponsored by Vormetric

As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.

View the webcast here to find out more

More in News

Hundreds of companies face 2,000 cyber-attacks in EU exercise

Hundreds of companies face 2,000 cyber-attacks in EU ...

The European Network and Information Security Agency (ENISA) conducted a 24-hour cyber-exercise in which more than 200 organisations from 25 EU member states faced virtual cyber-attacks from white hat hackers ...

Cyber security still a learning curve for most companies

Cyber security still a learning curve for most ...

Poor network visibility, outdated security tools, a skills shortage and a lack of control in the cloud are just some of the reasons companies are struggling with cyber-security, say two ...

WorldPay hacker sentenced to 11 years for role in £6 million scheme

WorldPay hacker sentenced to 11 years for role ...

An Estonian man, who helped hack payment processor RBS WorldPay in 2008, has now been sentenced to 11 years in prison for his involvement in the £5.9 (US$ 9.4 million) ...