Microsoft today issued eight bulletins addressing 19 separate vulnerabilities in its Windows operating system, Internet Explorer Web browser, Office, and other products.
Microsoft gave three of the bulletins its highest “critical” rating, while the remaining five received the second-most-severe “important” rating. One of the critically rated bulletins addresses an Internet Explorer zero-day vulnerability that attackers have exploited to launch watering hole attacks against an unnamed U.S.-based non-governmental organization.
The zero-day bug is fixed by MS13-090, a cumulative update for ActiveX Kill Bits. The actively exploited vulnerability, which exists in the InformationCardSigninHelper Class ActiveX control, could allow an attacker to initiate remote code execution if a user views a maliciously crafted webpage in Internet Explorer. As always, users with less user-rights could be less impacted than those administrative rights.
Microsoft is not patching a second zero-day in its Office product suite yet, but they have built a work-around for it. Known as the TIFF zero-day, researchers from SpiderLabs wrote on their blog that Microsoft’s FixIt tool should mitigate the issue until Microsoft patches it with what will likely be an out-of-band patch before next month’s Patch Tuesday release.
Ross Barrett, senior manager of security engineering at Rapid7, noted in an email conversation with Threatpost that Microsoft’s failure to patch the TIFF bug is frustrating, but that they are seeing a very limited, targeted exploitation of the vulnerability – only in a specific region – and requiring user interaction to exploit. He is, therefore, saying that he wouldn’t worry about it too much.
Beyond these, MS13-088, Microsoft’s cumulative update for Internet Explorer, which is not related to the zero-days, is likely the next highest-priority fix for network operators. It resolves 10 privately reported bugs, the most severe of which could allow for remote code execution again if a user views a maliciously crafted webpage in Internet Explorer, thus granting an attacker the same user rights as the current user. The impact would once again depend on the level of rights the victim has on the browser.
The other critically rated bug resolves an issue in Windows’ graphics device interface and could also enable remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. Again, users with less rights will be less impacted.
The remaining, important-rated bulletins, MS13-091 through MS13-095, resolve seven publicly and privately reported bugs: a remote code execution vulnerability in Office, an elevation of privileges flaw in Hyper-V, information disclosures in the Windows ancillary function driver and Outlook, and a denial of service problem in Windows digital signatures.
Tyler Reguly, a technical manager of security research and development at Tripwire, told Threatpost that the most interesting important-rated bugs are likely the Outlook vulnerability, which could enable port-scanning, and the Hyper-V vulnerability, because it could allow Guest OS to Guest OS code execution, and an X.509 issue in schannel.dll that could allow denial of service.
“Overall, while it is only a medium-sized Patch Tuesday, pay special attention to the two 0-days and the Internet Explorer update,” wrote Wolfgang Kandek, CTO of the IT security firm Qualys, in his analysis of the patch release. “Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets.”
You can read Microsoft’s full bulletin advisories here.