Headline
Assessing risk for the August 2013 security updates
Today we released eight security bulletins addressing 23 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Index Likely first 30 days impact Platform mitigations and key notes MS13-059(Internet Explorer) Victim browses to a malicious webpage.
Today we released eight security bulletins addressing 23 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Bulletin
Most likely attack vector
Max Bulletin Severity
Max Exploit-ability Index
Likely first 30 days impact
Platform mitigations and key notes
MS13-059(Internet Explorer)
Victim browses to a malicious webpage.
Critical
1
Likely to see reliable exploits developed within next 30 days.
Also addresses the ASLR bypass used as part of one of the CanSecWest pwn2own exploits (IE9 broker issue used in the VUPEN Adobe Flash exploit).
MS13-060(Unicode font in browser)
Victim with Indic language pack installed browses to a malicious webpage.
Critical
2
Less likely to see reliable exploit code within 30 days.
Affects only Windows XP and Windows 2003 machines where the Bangali font is installed. More detail here: http://www.bhashaindia.com/ilit/GettingStarted.aspx?languageName=Tamil
MS13-061(Oracle Outside In for Exchange)
Attacker sends email with malicious attachment and lures victim to view the attachment as a webpage within Outlook Web Access. The attacker could potentially compromise the server-side process generating the web page.
Critical
2
Less likely to see reliable exploit code within 30 days.
Addresses Oracle Outside In issues included in the Oracle July 2013 security update: http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
MS13-063(Kernel)
Attacker who is already running code on a machine uses this vulnerability to elevate from low-privileged account to SYSTEM.
Important
1
Likely to see reliable exploits developed within next 30 days.
Also addresses CVE-2013-2556, the LdrHotPatchRoutine Windows ASLR bypass used as part of a CanSecWest pwn2own exploit. You can read more about that aspect of this update in this SRD blog post.
MS13-062(RPC)
Attacker on the same machine as a higher-privileged user making asynchronous RPC requests to a remote resource may be able to have RPC request executed as the higher-privileged user. (Example: print server scenario where higher privileged user is continually submitting print jobs)
Important
1
Likely to see reliable exploits developed within next 30 days. However, limited scenarios in which attack could be used.
This is a post-auth race condition attack with several pre-conditions. Difficult to trigger reliably.
MS13-066(Active Directory Federated Services)
Attacker can leverage information leak to lock out service account used by ADFS, denying service to users.
Important
3
Denial of service only.
MS13-065(ICMP)
Attacker send malicious ICMP packet causing denial-of-service on victim recipient.
Important
3
Denial of Service only.
Difficult to reproduce this one. Likely will require third party driver installed and packet stored in memory aligned with the page boundary.
MS13-064(NAT driver)
Attacker can send malicious network attack against Direct Access server causing denial-of-service.
Important
3
Denial of Service only.
Only affects machines running WinNat service. This service was first introduced with Windows Server 2012 and is off by default.
- Jonathan Ness, MSRC Engineering