As expected, Microsoft began shipping its latest batch of Patch Tuesday patches earlier this afternoon. However, while it was heavily presumed the update would fix at least one Internet Explorer zero day, the update actually fixes two critical vulnerabilities in the browser.
Eight bulletins — four critical — and 28 vulnerabilities in total are addressed by the update, the 10th anniversary release of the company’s popular flaw remediation program.
Naturally, at the top of the list is MS13-080 which addresses the much-buzzed about use-after-free bug (CVE-2013-3893) on the Microsoft HTML rendering engine in IE. The zero day targeted all builds of IE over the course of the last month or so and this patch, which also loops in nine other IE fixes, builds off of a FixIt tool Microsoft released for the issue in mid-September.
The vulnerability gained notoriety in the last few weeks following the creation of a Metasploit module and the emergence of several campaigns targeting Asia that used the exploit as an attack vector.
Among those nine IE vulnerabilities, CVE-2013-3897, is also getting the attention of researchers today. The issue, a memory corruption vulnerability that’s been spotted in targeted exploitation, was discovered in part by the National Cyber Security Centre of the Netherlands according to Microsoft.
Trustwave’s SpiderLabs posted a brief synopsis of the vulnerability today and claims the zero day has been in the wild for more than a month and campaigns initially targeted Japanese and Korean users.
According to Wolfgang Kandek, the CTO of cloud security firm Qualys, the vulnerability was still shoehorned into Internet Explorer’s cumulative security update, despite only recently being discovered.
“In the last two weeks, attacks against the same vulnerability became public, again limited and targeted in scope, but since the fix was in the code already, it enabled Microsoft to address the vulnerability… in record time,” Kandek said Tuesday.
Much like the user-after-free bug issue, attacks against CVE-2013-3897 were spotted in the wild but weren’t widespread enough to force Microsoft to issue an out-of-band patch before this week’s update.
The rest of the month’s updates address remote code execution issues in Windows, Office, .NET, Server, SharePoint and an information disclosure issue in Silverlight.
While they’re not known to be actively exploited, three of those issues are marked critical, including vulnerabilities in both Windows’ kernel mode driver (MS13-081) and .NET Framework (MS13-082) that stem from problems with embedded OpenType fonts.
The last critical issue involves a remote, server-side vulnerability in ASP.NET that could let attackers send a specially crafted web request to an ASP.NET web app running on an affected system and in turn, run arbitrary code.
Rapid 7’s Ross Barrett, senior manager of security engineering, called the vulnerability a “real, honest to goodness, potentially “wormable” condition” Tuesday, warning it could spread rapidly.
“If the “bad guys” figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested,” Barrett said.
The rest of the patches address relatively minor issues – at least in comparison to the IE vulnerabilities – in Sharepoint, Microsoft Word, Excel and the company’s application framework, Silverlight.
Per usual the updates will be deployed on most users’ machines automatically over the next day or so. Those who don’t have automatic updates enabled will want to check for updates and install the updates, especially those who run any version of Internet Explorer, manually.