Microsoft has issued security updates to fix at least 23 distinct vulnerabilities in its Windows operating systems and other software. Three of the patch bundles released today address flaws rated “critical,” meaning that malware or miscreants can use them to break into Windows PCs without any help from users.
Leading the critical updates is a cumulative patch for Internet Explorer (MS13-059) that affects every version of the browser on nearly all supported versions of Windows. In its advisory, Microsoft warns it is highly likely that attackers will soon develop exploit code to attack the flaws addressed in this patch. Indeed, according to Ross Barrett, manager of security engineering at Rapid7, the IE patch addresses a vulnerability first demonstrated at the Pwn2Own contest at the CanSecWest conference in March of this year.
Another critical update, MS13-060, is a browse-and-get-owned font vulnerability that affects users on Windows XP and Server 2003. The final critical patch, MS13-061, tackles several flaws in Microsoft Exchange that stem from a third-party component from Oracle called Outside In.
Security experts differ over the which patches marked “important” in severity are the most interesting this month. Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, says that the most surprising patch in this category is MS13-063, a Windows kernel vulnerability that addresses another bug first disclosed (PDF) at this year’s CanSecWest. The vulnerability allows attackers to bypass an anti-exploitation protection built into Windows called address space layout randomization (ASLR). Kandek notes that the researcher who discovered that flaw — Yang Yu from Chinese security firm NSFocus — probably could have earned up to $100,000 for reporting that flaw to Microsoft, had he known Microsoft was going to start paying researchers for such bugs.
“Microsoft believes it could have qualified for one of the high-paying bounties (up to $100,000) of the current BlueHat program,” Kandek wrote. “Alas, at the time, the program did not exist, and Yang Yu had no way of knowing that the program was in the works.”
For his part, Rapid7’s Barrett said perhaps the most genuinely interesting vulnerability this month is MS13-062, which is reported as a flaw that allows lesser users to elevate their privileges on Windows.
“Microsoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong,” Barrett quipped.
Patches are available through Windows Update or via Automatic Updates. As always, if you experience any issues applying any of these patches, please leave a note in the comments section below.
Tags: ASLR, bluehat bounty, CanSecWest, http://en.wikipedia.org/wiki/Address_space_layout_randomization, internet explorer, Microsoft Windows, MS13-059, MS13-060, MS13-061, MS13-062, NSFocus, Rapid7, Ross Barrett, yang yu