Internet Explorer continues to dominate Microsoft’s 2013 security updates. Among the 12 bulletins and 57 vulnerabilities patched in today’s release was a cumulative update for the maligned browser and another fix for a bug being exploited in the wild.
Last month, an out-of-band fix for IE 6-8 patched zero-day flaws being exploited in a series of watering hole attacks against government, telecommunications, manufacturing and human rights sites. Today, vulnerabilities in IE 6-10 were patched, including critical bugs that could allow an attacker to remotely execute code or leak information; one of which is being exploited in limited targeted attacks, Microsoft said.
The IE patches should be applied immediately, experts said.
MS13-010 is being exploited in the wild; it covers a vulnerability in Microsoft’s implementation of Vector Markup Language (VML). While most renderings of two-dimensional vector graphics are based on Scalable Vector Graphics (SVG), Microsoft long ago chose VML as its de facto standard. VML has been implemented in IE since version 5. The vulnerability addressed today is in the VML DLL ActiveX control, and occurs in the way the browser handles objects in memory, Microsoft said. Users browsing with IE who are lured to a website hosting a malicious VML graphic could be exploited. Microsoft said specially crafted data could corrupt memory allowing an attacker to remotely execute code.
“VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing,” said Qualys CTO Wolfgang Kandek.
The cumulative update (MS13-009), meanwhile, patches an information-disclosure vulnerability in Shift JIS character encoding, as well as a dozen remote code execution use-after free vulnerabilities.
Microsoft said IE does not properly handle encoding for Shift JIS auto selection; this could allow an attacker using a drive-by download attack to access content from another domain or IE zone. Shift JIS is character encoding for Japanese.
“That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer’s computer when he or she visits a page with malicious code on it,” Kandek said.
Twelve use-after-free flaws are also addressed; the remote code execution bugs were found in the way IE accesses objects that have been deleted in memory, the advisory said. Use-after-free vulnerabilities can be exploited in buffer overflow attacks, for example. Workstations and terminals are at a higher risk than servers Microsoft said, because Windows Server runs in restricted mode since Windows Server 2003 and this mitigates the vulnerability.
Three other critical bulletins were released today.
Microsoft patched a remote code execution vulnerability (MS13-011) in the way Microsoft DirectShow decompresses media files such as .mpg files, or Office documents such as large Power Point files. Users would have to open a malicious attachment or visit a website hosting malicious content to be exploited. DirectShow is used for streaming media on Windows systems; it is located within DirectX.
Two critical remote code execution vulnerabilities in Microsoft Exchange Server (MS013-012) were also patched. The flaws are in the Exchange WebReady Document Viewing feature. The more serious vulnerability can be exploited if a user views a malicious file through Outlook Web Access in a browser, Microsoft said. Attackers would be able to run code on Exchange only as the LocalService account, which has minimum privileges. The other vulnerability could cause the server to crash.
The other critical remote code execution vulnerability (MS013-020) was reported in Windows Object Linking and Embedding (OLE) Automation; the patch fixes how OLE Automation parses files. OLE is a Window protocol that enables applications to share data; OLE Automation is a standard used by apps to expose OLE objects to development tools and more, Microsoft said. Users would have to open a malicious RTF email message in Outlook with Word as the email viewer, or a malicious RTF attachment, to trigger an exploit. Users could also be exploited by landing on a website hosting a malicious file.
The remaining bulletins were rated important, and include a host of privilege escalation, denial of service and remote code execution vulnerabilities.
- MS13-013 patches remote execution vulnerabilities in SharePoint’s FAST Search Server 2010.
- MS13-014 fixes a denial of service bug in NFS on Windows servers with NFS enabled.
- MS13-015 repairs a privilege escalation vulnerability in .NET that can allow .NET apps to bypass Code Access Security restrictions.
- MS13-016 handles flaws in Windows Kernel-Mode Driver where an attacker with valid credentials could elevate privileges.
- MS13-017 also patches a privilege escalation flaw in Windows Kernel with valid credentials.
- MS13-018 addresses a denial of service vulnerability in TCP/IP that could occur if an attacker is able to send a malicious connection termination packet to a server.
- MS13-019 patches a privilege escalation flaw in Windows Client-Server Runtime Subsystem.