This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft releases nine bulletins, but no Pwn2Own fixes

Share this article:
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday
Microsoft to issue seven patches, three of them critical, on next week's Patch Tuesday

Microsoft issued nine bulletins to fix 14 vulnerabilities this week; however it left several known flaws unpatched.

The software giant released nine bulletins, two of which were rated as critical and the remaining seven as important, to fix vulnerabilities in Tools, Windows, Internet Explorer, Microsoft Anti-Malware Client, Office and Server Software. It recommended focusing on the critical patches MS13-028 and MS13-029 first.

Wolfgang Kandek, CTO of Qualys, said: “This month, the most important bulletin to apply to your infrastructure is MS13-028, which contains a new release of Internet Explorer (IE) covering all versions of the browser starting with IE6 going to IE10, and also including Windows RT, the operating system for mobile devices and tablets.

“The second vulnerability to apply is MS13-029, which fixes a vulnerability in the Remote Desktop Client ActiveX control included in all Windows versions prior to Windows 8. While ActiveX controls can be included in most Windows programs, the most likely attack vector is through a web browser. According to Microsoft EMET provides protection against both MS13-028 and MS13-029.”

Speaking on MS13-029, Ziv Mador, director of security research at Trustwave, said: “It has been a few months since we have had a remote desktop protocol vulnerability, but I was pretty sure we hadn't seen the last of them. In this case getting a user to visit a specially crafted web page could result in remote code execution. The actual flaw is located in the ActiveX control mstscax.dll, which attempts to access an object in memory that has been deleted.”

However, bugs revealed and exploited at the Pwn2Own event in March have not been fixed, with Vupen Security saying that its "Pwn2Own zero-days [were] still alive".

Marc Maiffret, CTO of BeyondTrust, said: “While Internet Explorer did get patched this month, it did not receive a fix for the recently disclosed zero-day. Instead, the patch addresses two use after free vulnerabilities that both affect every supported version of Internet Explorer (versions 6 through 10). Attackers will be looking into how to exploit these two vulnerabilities, since attackers can target multiple versions of Internet Explorer through the use of only a couple of vulnerabilities, so it is important to deploy this patch as soon as possible.”

Kandek suspected that a fix was not issued due to the time constraints imposed by the quality assurance (QA) work necessary for an IE release. However Adobe did release a security update for Flash based on the Pwn2Own research.

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Microsoft warns on yet another zero-day security flaw

Microsoft warns on yet another zero-day security flaw

Microsoft has warned Windows users about a zero-day security issue with malicious PowerPoint documents being emailed to recipients. The software giant is working on a patch for the problem.

Google launches FIDO-compliant 2FA USB key for Chrome and Gmail

Google launches FIDO-compliant 2FA USB key for Chrome ...

Google has souped up its two-factor authentication (2FA) login process with the launch of Security Key, a physical USB that only works after verifying the login site is truly a ...

Evolving TorrentLocker ransomware generating big money

Evolving TorrentLocker ransomware generating big money

The TorrentLocker ransomware has returned with a vengeance and is starting to bring in big money for its operators.