Security
Headlines
HeadlinesLatestCVEs

Headline

Assessing risk for the November 2013 security updates

Today we released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment. Bulletin Most likely attack vector Max Bulletin Severity Max Exploit-ability Likely first 30 days impact Platform mitigations and key notes MS13-090(ActiveX killbit) Victim browses to a malicious webpage.

msrc-blog
#vulnerability#web#mac#windows#dos#git#zero_day

Today we released eight security bulletins addressing 19 CVE’s. Three bulletins have a maximum severity rating of Critical while the other five have a maximum severity rating of Important. We hope that the table below helps you prioritize the deployment of the updates appropriately for your environment.

Bulletin

Most likely attack vector

Max Bulletin Severity

Max Exploit-ability

Likely first 30 days impact

Platform mitigations and key notes

MS13-090(ActiveX killbit)

Victim browses to a malicious webpage.

Critical

1

Expect to continue seeing driveby-style attacks leveraging CVE-2013-3918.

Addresses the out-of-bounds memory access vulnerability mentioned on the FireEye blog on Friday: http://www.fireeye.com/blog/technical/2013/11/new-ie-zero-day-found-in-watering-hole-attack.html. More information about this attack can be found on our blog at http://blogs.technet.com/b/srd/archive/2013/11/12/technical-details-of-the-targeted-attack-using-cve-2013-3918.aspx

MS13-088(Internet Explorer)

Victim browses to a malicious webpage.

Critical

1

Likely to see reliable exploits developed within next 30 days.

MS13-089(Windows GDI)

Victim opens a malicious .WRI file in Wordpad

Critical

1

Likely to see reliable exploits developed within next 30 days.

This update addresses a vulnerability in converting a BMP to WMF. While the Wordpad vector would be only “Important” severity, we believe other attack vectors may exists if third party applications are installed. Those attack vectors may not require user interaction. Therefore, out of an abundance of caution, we’ve rated this bulletin “Critical”.

MS13-091(Word)

Victim opens malicious Word document.

Important

1

Likely to see reliable exploits developed within next 30 days.

MS13-092(Hyper-V)

Attacker running code inside a virtual machine can cause bugcheck of host hypervisor system; or potentially execute code in another VM running on same hypervisor system.

Important

1

Likely to see reliable denial-of-service exploit developed within next 30 days.

Guest -> Host is denial-of-service (bugcheck). Guest -> Guest has potential for code execution.

MS13-093(AFD.sys)

Attacker running code at low privilege runs malicious EXE to reveal kernel memory addresses and contents.

Important

n/a

No chance for direct code execution. Information disclosure only.

Affects only 64-bit systems. Does not affect Windows 8.1.

MS13-094(Outlook)

Attacker sends victim S/MIME email that triggers a number of HTTP requests during S/MIME signature validation. Because requests can be sent to an arbitrary host and port, timing differences can reveal to the attacker which hosts and ports are accessible to the victim’s computer.

Important

n/a

No chance for direct code execution. Information disclosure only.

This vulnerability can be leveraged to “port scan” several thousand ports per S/MIME email opened by victim. Signature verification for multiple S/MIME signers in this way will take some time and will block Outlook during the process.

MS13-095(Digital signature parsing denial-of-service)

Attackers sends malformed X.509 certificate to web service causing temporary resource exhaustion denial-of-service condition.

Important

n/a

No chance for direct code execution. Denial of service only.

- Jonathan Ness, MSRC Engineering

Related news

Technical details of the targeted attack using IE vulnerability CVE-2013-3918

Over the weekend we became aware of an active attack relying on an unknown remote code execution vulnerability of a legacy ActiveX component used by Internet Explorer. We are releasing this blog to confirm one more time that the code execution vulnerability will be fixed in today’s UpdateTuesday release and to clarify some details about the second vulnerability reported.

ActiveX Control issue being addressed in Update Tuesday

Late last Friday, November 8, 2013, a vulnerability, CVE-2013-3918, affecting an Internet Explorer ActiveX Control was publically disclosed. We have confirmed that this vulnerability is an issue already scheduled to be addressed in “Bulletin 3”, which will be released as MS13-090, as listed in the November Advanced Notification Service (ANS). The security update will be distributed to customers tomorrow via Windows Update at approximately 10:00 AM PDT.

msrc-blog: Latest News

Mitigating NTLM Relay Attacks by Default