Patch Tuesday sees zero-days in Internet Explorer and Adobe products fixed

News by Dan Raywood

Microsoft released ten bulletins yesterday fixing 33 vulnerabilities, including the zero-day in Internet Explorer 8.

Microsoft released ten bulletins yesterday fixing 33 vulnerabilities, including the zero-day in Internet Explorer 8.

According to Dustin Childs, group manager of response communications at Microsoft Trustworthy Computing, the patches comprised two critical fixes and eight rated as ‘important', and address vulnerabilities in Internet Explorer, Microsoft Windows, Microsoft Office, Server and Tools and the .Net Framework.

He recommended focusing on the two critical fixes first, both for Internet Explorer, - MS13-037 and MS13-038. BeyondTrust CTO Marc Maiffret said: “MS13-037, affects every version of Internet Explorer, 6 through 10, and therefore affects every version of Windows. Three of the CVEs: CVE-2013-1308, CVE-2013-1309 and CVE-2013-2551, affect every version as well, so attackers will likely be focusing on those CVEs in an attempt to target as broad of an audience as possible with the least amount of effort as is needed.

“The second bulletin, MS13-038, addresses the Internet Explorer zero-day that was publicly disclosed on 3rd May. Take note that while no known attack vectors exist for Internet Explorer 9 in the default configuration, the vulnerable component still exists and is therefore receiving an update.”

Paul Henry, security and forensic analyst at Lumension, said: “It's a relief to see that Microsoft has addressed this so quickly, since it is being actively exploited. These two patches should be your top priority. Additionally, we always recommend upgrading to the latest version of any software, as that's typically the most secure. If your system is compatible with IE10 and you're not running it already, upgrade now.”

Wolfgang Kandek, CTO of Qualys, said: “M13-038 was an ad hoc update this month and kudos to Microsoft for turning it around in such a short time frame. MS13-037 however, is the expected update to Internet Explorer that addresses the two vulnerabilities used by researchers at Vupen to exploit IE10 during the PWN2OWN competition at CanSecWest in Vancouver in March.

“The exploit is rated a ‘1' on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website. Patch this vulnerability as soon as possible.”

The other patch recommended by Childs was MS13-039, which is rated as important. Ziv Mador, director of security research at Trustwave, said that this fixes a denial-of-service in HTTP.sys, a kernel mode driver that handles HTTP internet traffic allowing multiple applications to pass traffic over the same port. “However if an attacker sends a specially crafted HTTP packet to a Windows 2012 Server, they could trigger an infinite loop in the HTTP protocol stack and cause a denial-of-service,” he said.

Maiffret said: “MS13-039 addresses a privately reported denial-of-service vulnerability in Windows 8, Server 2012 and RT. This is possible by simply sending a specially crafted HTTP header to a vulnerable server, causing it to go into an infinite loop. Attackers will be interested in this vulnerability because it affects the latest versions of Windows Server and can trivially be exploited by attackers.

“Even though this bulletin is only rated as important, it should be patched immediately, since attackers will likely start to leverage this vulnerability as soon as possible.”

Lamar Bailey, director of security research and development at Tripwire, said: “MS13-039 could arguably be the most important bulletin this month, depending on your business. Many businesses use Server 2012 on mission critical servers in the data centre, so outages could have a huge impact on businesses that depend on up time or deliver against an SLA. This bug does not require a sophisticated attack so we'll see an exploit the next few weeks.”

Adobe also released patches last night, with updates for three products: ColdFusion (APSB13-03); the web application development environment of Flash; and Reader (APSB13-15).

Kandek said: “The update to ColdFusion addresses a zero-day vulnerability that has an exploit in the wild; Adobe has given workaround instructions in APSA13-03. The Reader update contains fixes for 27 vulnerabilities and affects all versions of Reader supported (9, X and XI) and is rated critical and includes Adobe's fixes for the PWN2OWN vulnerabilities as well - patch as soon as possible because Adobe Reader is frequently attacked with file-based exploits. The Flash update addresses seven vulnerabilities - all found by Google's security team.”

Henry said: “We are unfortunately seeing Adobe becoming more of a threat vector again. You may recall issues with Adobe products a few years ago that made them the ‘primary threat vector' for internet bad guys. They then lost that crown to Oracle Java.

“The recent Adobe PDF tracking issue and the zero-day in Adobe ColdFusion, which has been under active attack recently, were patched today in the regular monthly patch release from Adobe.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews