Microsoft released six critical patches on its monthly Patch Tuesday.
Addressing 34 vulnerabilities in Windows, Internet Explorer, .Net Framework, Silverlight, GDI+ and Windows Defender, it recommended patching MS13-055 first, which fixes bugs in Internet Explorer.
Wolfgang Kandek, CTO of Qualys, said a change by Microsoft in the advisory of this bulletin indicates that it has detected exploits against CVE-2013-3163 in Internet Explorer 8.
“CVE-2013-3163 is one of the remote code execution vulnerabilities and is rated ‘critical'; so you should patch as quickly as possible if you are still on IE8,” he said.
Ziv Mador, director of security research at Trustwave, said: “This bulletin fixes 17 common vulnerabilities and exposures (CVEs) and of those, 16 of them are rated critical. If you only apply one patch it should definitely be this one.
“The most severe of these CVEs could allow remote code execution via a specially crafted web page viewed in Internet Explorer. It doesn't matter which version, Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 are all impacted. Most of these vulnerabilities are memory corruption issues and one is a cross-site scripting issue.
Ross Barrett, senior manager of security engineering at Rapid7, highlighted this patch and also MS13-053, a Windows patch that applies to all versions of the OS. He said: “The top two patching priorities are the kernel issue (MS13-053) and the Internet Explorer patch bundle (MS13-055). These are both priority one, according to Microsoft, with MS13-052, MS13-054, MS13-056, and MS13-057 all coming in at priority two.
“Remember that patching priority and a ‘critical' rating from Microsoft factors in exploitability and if the vulnerability has been responsibly disclosed. Some of the vulnerabilities patched in MS13-052 and MS13-053 are known to be under active exploitation in the wild but exploitation is considered unlikely, whereas some of the responsibly disclosed issues in Internet Explorer are considered likely for exploitation now that the patch is out.”
“This issue relates to TrueType font processing and legitimately affects different components. By splitting this out, Microsoft is directly addressing a complaint about previous ‘rolled up' advisories where it was difficult to properly prioritise the multiple patches required to remediate the problem, and component patches were frequently missed,” he said.
Looking at MS13-053, Kandek said: “The most likely attack vector is through users browsing a malicious web page or opening an infected document, which results in remote code execution that gives control of the affected machine to the attacker.
“The second high profile vulnerability is CVE-2013-3660, a local Windows zero-day, which got its start by a post from researcher Tavis Ormandy on the ‘full disclosure' mailing list, and which soon after had several implementations published in underground forums and in security research tools such as Metasploit and Core Impact.”
Looking at MS13-052, Mador said: “This bulletin has to fix quite a bit of stuff: including how the .Net Framework handles multi-dimensional arrays of small structures, validates the permissions of objects performing reflection, allocates object arrays, and handles partial trust vulnerabilities among other things. So much stuff you may be offered multiple updates depending on what versions of stuff you have installed.”
The remaining critical bulletins are MS13-057 (Windows Media), which is triggered by a malicious media file, and MS13-058 (DirectShow), which fixes a vulnerability CVE-2013- in the gif graphics format.
“MS13-058 is lowest on our list, since there is no Microsoft product using the vulnerable gif function. However, third-party applications are potentially affected,” Kandek said.