Microsoft released 11 security bulletins last night on its final Patch Tuesday for 2013.
Including five rated as critical and six rated as important, they cover 24 flaws in Windows, Internet Explorer, Office and Exchange. Microsoft said that the priority should be for patches MS13-096, MS13-097, and MS13-099.
Tyler Reguly, security research and development manager at Tripwire, said that MS13-096, which fixes the zero-day vulnerability affecting TIFF file formats, should be considered first, and second is MS13-106, an update to hxds.dll.
Wolfgang Kandek, CTO of Qualys, said: “Our top priority today is MS13-096. This vulnerability is currently under targeted attacks in the Middle East and Asia, and the exploits typically arrive in an Office document. If your machines run on later versions of Microsoft software, you are not affected. However, if you are behind, you should install this patch as soon as possible as you are most likely on a vulnerable configuration, such as Windows XP or an older version of Office (2003 or 2007).
“After that we believe that MS13-097, which addresses seven vulnerabilities in Internet Explorer (IE) should be next on your priority list. All versions of IE are affected and the bulletin comes with a low Exploitability rating of 1, indicating that an exploit for the vulnerabilities would not be hard to craft. The exploit would be delivered through a malicious webpage.
“Also browser-related but in a separately installed ActiveX component, MS13-099 addresses a critical flaw in VBScript, which could be used to take control of the targeted machine.”
Ross Barrett, senior manager of security engineering at Rapid7, said that regarding MS13-099, he called it an “interesting vulnerability” because it’s exploitable by VBA script and is not mitigated by EMET counter measures, hence the high risk and priority ratings given by Microsoft.
“This issue is not yet publicly under exploit, but could be an early candidate to make the jump. This round of patching addresses the GDI+ issue which was publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers.”
Elsewhere, Craig Young, security researcher at Tripwire, said that the “important” fix MS13-106 has a small change that enables address space layout randomisation (ASLR) for the hxds.dll system library. “This fix will go a long way toward protecting customers from future zero-day attacks,” he said.
“ASLR is a critical technology for mitigating code execution vulnerabilities. In short, this technology increases the difficulty of writing reliable exploits by making it more difficult for attackers to predict where certain machine instructions will exist in the system’s memory space. This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the ‘ms-help:’ protocol handler.
“Microsoft rated MS13-106 as ‘important’ rather than ‘critical’ because it does not directly address a vulnerability. From my point of view, there are malicious operators that already have knowledge of un
patched IE code execution bugs and new ones will continue to be discovered based on the steady stream of use-after-free bugs being reported.”
Kandek made the point that a recently revealed zero-day did not get addressed as it was discovered too late to make it into this release. He said: “It is also less severe as it depends on a second vulnerability for delivery on the targeted machine.In the wild, exploits have been delivered through a PDF document abusing an older vulnerability in Adobe Reader.
“Fortunately, the vulnerability only affects the older Windows, versions XP and 2003, and allows an attacker to become administrator and then install malware to take control of the machine. If you have a vulnerable configuration, we recommend you implement the work-around specified in security advisory KB2914486 and turn off the NDPROXY component. Side-effects should be minimal and limited to the telephony and modem interfaces which should not be in use in most environments.”
Elsewhere, Adobe released two updates for new versions of Shockwave and Flash.
