This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft releases five patches with one critical fix for Internet Explorer

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft released five bulletins on its June Patch Tuesday, fixing one critical vulnerability in Internet Explorer.

The bulletins fix 23 vulnerabilities in Windows, Office and Internet Explorer, and Microsoft recommended focusing on MS13-047 and MS13-051 first, the critical issue and a remote code execution flaw in Office.

BeyondTrust CTO Marc Maiffret said: “MS13-047 addresses 19 vulnerabilities in Internet Explorer, including 18 generic memory corruption vulnerabilities and one memory corruption caused by a script debugging vulnerability. Four out of these 19 vulnerabilities (CVE-2013-3112,CVE-2013-3113CVE-2013-3121, and CVE-2013-3142) affect every supported version of Internet Explorer, so attackers will be targeting these vulnerabilities prior to attempting to exploit any of the others.”

Ziv Mador, director of security research at Trustwave, said: “It is rare only having one bulletin in an entire release that contains more than one CVE. However, it is also unusual for one bulletin having at least 18 of them.

“Similar to last month, Internet Explorer is plagued with more critical vulnerabilities, which appear to be caused from memory corruption issues. Many of the CVEs appear to suffer from use-after-free vulnerabilities, which could allow arbitrary code to be executed and/or cause denial-of-service conditions. However, there are many CVEs in here that can result in remote code execution, which is definitely something to worry about especially when it affects a browser.”

Paul Henry, security and forensic analyst at Lumension, said: “Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system. An attacker could not get in without some user participation.”

Looking at bulletin MS13-051, Wolfgang Kandek, CTO of Qualys, said that this patch for Microsoft Office 2003 on Windows and 2011 for Mac OS X addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild.

“The attack arrives in an Office document and is triggered when the user opens the document. Microsoft rates it only as ‘important' because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward,” he said.

Mador said: “Microsoft Office 2003 SP3 and/or Microsoft for Mac 2011 users should pay particularly close attention to this vulnerability since an attacker could specially craft an Office document that could potentially allow remote code execution conditions. This includes a user viewing a specially crafted email message in Outlook. This vulnerability could especially be risky for those users who always login under an administrator privilege account since this exploit could be used for escalated privileges.”

The other fixes are: MS13-048 for an information disclosure vulnerability; MS13-049 for a denial-of-service problem in the TCP/IP stack of newer Windows systems (Vista+); and MS13-050 for a local privilege escalation vulnerability in Windows print spooler.

Kandek also pointed out that a fix was not issued for the vulnerability that a Google engineer recently published an exploit for on the full-disclosure mailing list.

He said: “The zero-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.”

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

4% of Googlebots are fake and can launch attacks

4% of Googlebots are fake and can ...

Admins' fear of damaging their SEO gives malicious search engine bots a 'VIP pass' into sites.

Brit Lauri Love faces more US hacking charges

Brit Lauri Love faces more US hacking charges

Lauri Love, a 29-year-old British man from Stradishall in Suffolk, has been charged by a US court with hacking into multiple US government computers and stealing more than 100,000 employee ...

More questions than answers as BBC outage fuels DDoS talk

More questions than answers as BBC outage fuels ...

The British Broadcasting Corporation was hit by a prolonged outage on its website and iPlayer video-on-demand service (VOD) last weekend, raising questions about the cause and whether it was subjected ...