Update 2: Microsoft reissued MS13-061 today to include Exchange 2013 again. You should be able to install it now without issues, but it makes sense to test the installation in your environment and/or wait until your next downtime for the installation.
Update: Microsoft has pulled the MS13-061 update for Exchange 2013 because it causes a corruption of the index database. Hopefully you have not been impacted, because you do not install server patches on critical machines right away, which seems like a good cautious measure at the moment. Nevertheless If you have Exchange 2013 and have not installed MS13061 yet then wait. If you have installed it and your installation shows signs of the issue, please take a look a KB2879739 for a workaround involving the editing of registry keys.
We will update this blog as more information becomes available.
Original: Eight bulletins addressing 23 vulnerabilities are on the docket for this month’s Microsoft Patch Tuesday. Three of the bulletins are rated “critical” and should be addressed as quickly as possible if your organization has the affected software installed.
For MS13-059, the affected software is Internet Explorer (IE) and is definitely installed. It fixes 11 vulnerabilities in all versions of IE from IE6 to IE10 on Windows RT. It is rated “critical” on all operating systems and should be installed as soon as possible, as its exploitation index is a low “1,” indicating that Microsoft believes that exploit code can be crafted relatively quickly (within 30 days). As usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing e-mail. Patch this immediately as the highest priority on your desktop system and wherever your users browse the web.
MS13-060 addresses a font vulnerability in the Bangali font, part of the Indic language pack. MS13-060 can only be exploited in Windows XP or Server 2003, so your organization might escape this patch if the language pack is not installed or if you are not running on XP anymore. If you are still running on XP and our stats indicate that over 13% of you are still on Windows XP, it is time to implement a migration plan to a newer operating system; after all, Windows XP loses its support in April of next year. It will then stop receiving security updates and will quickly deteriorate into an easy target for even inexperienced attackers.
The critical bulletin MS13-061 addresses three vulnerabilities in Microsoft Exchange that can be traced back to the third-party library Outside In from Oracle. Oracle published new versions of Outside In in April and July, and Microsoft has incorporated these new versions in this update. It is interesting to see how the relatively low severity vulnerabilities, CVE-2013-2393, CVE-2013-3776, and CVE-2013-3781 with a CVSS score of 1.5 by Oracle, become critical as the library is embedded in a software product that processes external files with vulnerable components. The attack vector is an e-mail with a malicious attachment, and it can only be triggered through Outlook Web Access (OWA). If you run exchange and your users have OWA, you should address this issue as quickly as possible. You should look into implementing the work-around that turns off document processing involving Outside In altogether; after all, there are probably still quite a bit of undiscovered vulnerabilities left in the library, as this recent blog post by Will Domann of CERT/CC showed us.
The remaining bulletins are of lower severity, and are all rated “important.” The most surprising is MS13-063, a Windows kernel vulnerability that addresses CVE-2012-2556 (an ASLR bypass) as a defense-in-depth measure. CVE-2014-2556 was published in March at the security conference CanSecWest in a presentation by the security researcher Yang Yu of NSFocus, and Microsoft believes (link) it could have qualified for one of the high-paying bounties (up to $100,000) of the current BlueHat program. Alas, at the time, the program did not exist, and Yang Yu had no way of knowing that the program was in the works…
MS13-065 is another interesting item in this month’s lineup. It addresses a vulnerability in the Windows TCP/IP stack for IPv6. A few ICMPv6 packets with Router Advertisements requests can cause a Denial of Service vulnerability reminiscent of the famous “Ping-of-Death.” It’s a good illustration of how much we still do not know about the stability of IPv6. We continue to recommend turning off IPv6 on workstations if your network is not engineered for its use. Take into account that a number of home networks already have IPv6 and that your corporate machines might be exposed to this attack vector already.
Overall, a normal Patch Tuesday with the Internet Explorer patch, which is now a normal monthly occurrence and the expected Microsoft Exchange fixes for the Oracle library Outside In, plus a good reminder of the Windows XP end-of-life.