Microsoft released seven bulletins last night, containing four patches rated as critical, to fix 20 vulnerabilities.
The patches fix flaws in Windows, Office, Internet Explorer, Server Tools and Silverlight. Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, said that it recommended deploying MS13-021, MS13-022and MS13-027 first.
MS13-021 is the Internet Explorer patch and resolves nine issues in the browser, the most severe of which could allow remote code execution if a user views a specially crafted web page using Explorer.
Marc Maiffret, CTO of BeyondTrust, said: “This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers.”
Ziv Mador, director of security research at Trustwave, said: “This bulletin covers nine CVE's, eight of these were reported privately to Microsoft but one of them, and we suspect the one that is out of CVE numerical order, was publicly disclosed. As we suspected last week, all of them are use after free vulnerabilities in various parts of Internet Explorer.”
Microsoft also recommended the Silverlight patch be installed rapidly. This fixes a vulnerability that could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application.
Wolfgang Kandek, CTO of Qualys, said: “This patch for Silverlight addresses three flaws that can be used to take control of both Windows and Mac OS X computers.
Mador said: “This is something you usually see in Linux and not so often in Windows, at least not since the introduction of function pointer encoding in XP SP2. This one could require a little social engineering to exploit.
“Both Mac and Windows versions of Silverlight 5 are vulnerable, but not the current build 5.1.10411.0, which already addresses this vulnerability and is not impacted. Microsoft does expect exploit code to be developed for this fairly soon so it is best to allow auto update to do its thing and install the patch.”
The final patch Microsoft recommended focusing on is the important-rated MS13-027, which resolves three issues in Microsoft Windows that could allow elevation of privilege if an attacker gains access to a system. It said that in a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system.
Mador said: “The flaw exists in all supported versions of Windows from XP SP2 up to Server 2012. Since the problem exists in the USB drivers you could try to prevent users from using USB devices, which these days would probably mean taking away their keyboard and mouse.”
The other two critical patches are MS13-023 that fixes a vulnerability in the Visio Viewer that could be exploited by convincing users to open seemingly legitimate email attachments, and MS13-024 that patches an elevation of privilege flaw in SharePoint.
Despite these, Microsoft did not issue a patch for the Internet Explorer 10 vulnerabilities exploited by Vupen at Pwn2Own. Andrew Storms, director of security operations at nCircle, said: “Unfortunately, this month's update doesn't include the IE 10 bug disclosed at the CanSec West Pwn2Own competition, but with Microsoft's commitment to rapid response on IE vulnerabilities, I'm sure we can expect that fix next month.”