Assessing risk for the November 2013 security updates

Today we released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max Exploit-ability

Likely first 30 days impact

Platform mitigations and key notes

MS13-090(ActiveX killbit)

Victim browses to a malicious webpage.

Critical

1

Expect to continue seeing driveby-style attacks leveraging CVE-2013-3918.

Addresses the out-of-bounds memory access vulnerability mentioned on the FireEye blog on Friday: http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html. More information about this attack can be found on our blog at http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx

MS13-088(Internet Explorer)

Victim browses to a malicious webpage.

Critical

1

Likely to see reliable exploits developed within next 30 days.

MS13-089(Windows GDI)

Victim opens a malicious .WRI file in Wordpad

Critical

1

Likely to see reliable exploits developed within next 30 days.

This update addresses a vulnerability in converting a BMP to WMF. While the Wordpad vector would be only “Important” severity, we believe other attack vectors may exists if third party applications are installed. Those attack vectors may not require user interaction. Therefore, out of an abundance of caution, we’ve rated this bulletin “Critical”.

MS13-091(Word)

Victim opens malicious Word document.

Important

1

Likely to see reliable exploits developed within next 30 days.

MS13-092(Hyper-V)

Attacker running code inside a virtual machine can cause bugcheck of host hypervisor system; or potentially execute code in another VM running on same hypervisor system.

Important

1

Likely to see reliable denial-of-service exploit developed within next 30 days.

Guest -> Host is denial-of-service (bugcheck). Guest -> Guest has potential for code execution.

MS13-093(AFD.sys)

Attacker running code at low privilege runs malicious EXE to reveal kernel memory addresses and contents.

Important

n/a

No chance for direct code execution. Information disclosure only.

Affects only 64-bit systems. Does not affect Windows 8.1.

MS13-094(Outlook)

Attacker sends victim S/MIME email that triggers a number of HTTP requests during S/MIME signature validation. Because requests can be sent to an arbitrary host and port, timing differences can reveal to the attacker which hosts and ports are accessible to the victim’s computer.

Important

n/a

No chance for direct code execution. Information disclosure only.

This vulnerability can be leveraged to “port scan” several thousand ports per S/MIME email opened by victim. Signature verification for multiple S/MIME signers in this way will take some time and will block Outlook during the process.

MS13-095(Digital signature parsing denial-of-service)

Attackers sends malformed X.509 certificate to web service causing temporary resource exhaustion denial-of-service condition.

Important

n/a

No chance for direct code execution. Denial of service only.

- Jonathan Ness, MSRC Engineering