Headline
Assessing risk for the October 2013 security updates
Today we released eight security bulletins addressing 25 CVE’s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-080(Internet Explorer) Victim browses to a malicious webpage.
Today we released eight security bulletins addressing 25 CVE’s. Four bulletins have a maximum severity rating of Critical while the other four have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.
Bulletin
Most likely attack vector
Max Bulletin Severity
Max Exploit-ability
Likely first 30 days impact
Platform mitigations and key notes
MS13-080(Internet Explorer)
Victim browses to a malicious webpage.
Critical
1
Likely to see continued attacks against both CVE-2013-3893 and CVE-2013-3897.
Addresses two CVE’s currently under limited attack and seven CVE’s not known to be under attack.
MS13-081(win32k.sys and OTF font parsing)
Most likely to be exploited attack vector requires attacker to already be running code on a machine and then uses this vulnerability to elevate from low-privileged account to SYSTEM.Additional attack vector involves victim browsing to a malicious webpage that serves up OTF font file resulting in code execution as SYSTEM.
Critical
1
Likely to see reliable exploits developed within next 30 days.
MS13-083(ComCtl32)
Victim opens a malicious RTF file with an embedded control in either Word or Wordpad, resulting in potential code execution in the context of the logged-on user.
Critical
1
Likely to see reliable exploits developed within next 30 days.
ComCtl32 is used in a number of different scenarios. We expect the most likely attack vector is via MSCOMCTL within an Office document. However, we encourage customers to apply the update on all systems to address other attack vectors as well.
MS13-082(.NET Framework)
Victim browses to malicious XBAP application hosted by an Intranet zone website.
Critical
2
Less likely to see reliable exploit developed for this or other .NET Framework vulnerabilities.
MS13-085(Excel)
Victim opens malicious Excel spreadsheet.
Important
1
Likely to see reliable exploits developed within next 30 days.
MS13-086(Word)
Victim opens malicious Word document.
Important
1
Likely to see reliable exploits developed within next 30 days.
Office 2010 and Office 2013 not affected.
MS13-084(SharePoint)
Attacker sends victim a link exploiting a Cross-Site Scripting (XSS) vulnerability on an Intranet SharePoint server for which they have access rights. When the victim clicks the link, an automatic action is taken on their behalf on the SharePoint server that they otherwise might not have wanted to execute.
Important
1
Likely to see reliable exploits developed within next 30 days.
By default, modern browsers block XSS attacks in Internet Zone sites.
MS13-087(Silverlight)
Possible to use as component in multi-stage attack as this vulnerability allows attacker access to memory addresses and/or contents from the same process.
Important
n/a
No potential for direct code execution.
Information disclosure only.
- Jonathan Ness, MSRC Engineering
Related news
We wrote several times in this blog about the importance of enabling Address Space Layout Randomization mitigation (ASLR) in modern software because it’s a very important defense mechanism that can increase the cost of writing exploits for attackers and in some cases prevent reliable exploitation. In today’s blog, we’ll go through ASLR one more time to show in practice how it can be valuable to mitigate two real exploits seen in the wild and to suggest solutions for programs not equipped with ASLR yet.
Today, we released Security Advisory 2934088 to provide guidance to customers concerned about a new vulnerability found in Internet Explorer versions 9 and 10. This vulnerability has been exploited in limited, targeted attacks against Internet Explorer 10 users browsing to www.vfw.org and www.gifas.asso.fr. We will cover the following topics in this blog post:
Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010. The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since
Today we released MS13-106 which resolves a security feature bypass that can allow attackers to circumvent Address Space Layout Randomization (ASLR) using a specific DLL library (HXDS.DLL) provided as part of Microsoft Office 2007 and 2010. The existence of an ASLR bypass does not directly enable the execution of code and does not represent a risk by itself, since
Today we released MS13-080 which addresses nine CVEs in Internet Explorer. This bulletin fixes multiple security issues, including two critical vulnerabilities that haven been actively exploited in limited targeted attacks, which we will discuss in details in this blog entry. CVE-2013-3893: the final patch after Fix it workaround Previously, Microsoft released Security Advisory 2887505 and made available the Fix it workaround 51001 to provide earlier protection to all customers for an actively exploited security issue that was reported to us.
Today we released Security Advisory 2887505 regarding an issue that affects Internet Explorer. There are only reports of a limited number of targeted attacks specifically directed at Internet Explorer 8 and 9, although the issue could potentially affect all supported versions. This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type.