Today Microsoft released patches to fix 94 vulnerabilities out of which 27 fix remote code execution issues which can allow an attackers to remotely take control of victim machines. This is a massive update and fixes more than double the number of vulnerabilities as compared to the last two months.
Update2: McAfee published an analysis of an exploit for CVE-2014-1761. Very interesting and eye-opening, as everything is controlled through the RTF document itself:
- The attackers use an listoverridecount level of 25, which is outside of the 0,1 or 9 specified in the standard. This confuses the RTF handler in Word and makes it possible to control the content of the program counter of the processor.
- This gives the attacker the basis for arbitrary code execution. In this case the attackers are able to point the program counter to machine code that is included in the document itself, which makes the exploit very self-contained, no additional setup files are needed.
Conclusion: Patch this as quickly as possible, i.e. next Tuesday. The attacks are real and happening now. The exploit does not look that hard to replicate with the information provided. Beyond patching it makes sense to disable RTF opening any way, which is what the FixIt in KB2953095 does. It certainly looks as if there is more potential for this type of vulnerability that can be found with relatively little investment into file fuzzing. See Charlie Miller’s presentation on "dumb fuzzing" for some initial reading.
Today Microsoft pulled an Office 2013 UI update for Outlook (KB2817630) from the Windows update servers. The update was meant to improve usability of Outlook 2013, but in certain conditions rendered the Navigation pane in Outlook unusable.
The update KB2817630 applies only to Office 2013 and is unrelated to security bulletin MS13-068, which applies only to Microsoft Office 2007 and 2010, and which we continue to recommend as a high priority security update.
Today’s Microsoft Patch Tuesday for September 2013 brings us 13 bulletins fixing 47 distinct vulnerabilities. Thirteen bulletins is one less than originally announced last week, number fourteen, which applies to .NET and addresses a Denial-of-Service (DoS) vulnerability, is being held back for further testing. Adobe also announced new versions that fix critical vulnerabilities for Flash, Adobe Reader and Shockwave.
Microsoft announced its lineup for next week’s Patch Tuesday. We will get 14 bulletins, already bringing the number for this year to 80 in September. We are well on our way to get more than 100 bulletins this year compared to 83 in 2012 and exactly 100 in 2011, a good reflection of how challenging the computer security business continues to be.