November 2013 Patch Tuesday

Microsoft today published eight security bulletins for the November 2013 Patch Tuesday, addressing 19 distinct vulnerabilities.

At the top of our priority list of patches and workarounds are the two open 0-day vulnerabilities:

• The Internet Explorer 0-day disclosed last week (see the blogpost by FireEye) can be addressed with a real patch, MS13-090, which implements a simple killbit setting that disables the affected ActiveX control “Information Card Signin Helper.” The attack vector here is a malicious webpage configured for a drive-by-download attack. More information in Microsoft’s SRD blog post.
• The TIFF graphic format vulnerability in the GDI+ library, also disclosed last week, which continues with no patch this month. However, there is an easy-to-implement workaround — a registry setting disabling the rendering of TIFF files — detailed in security advisory KB2896666 and made available as an MSI file. The attack vector seen in the wild is a malicious Word document.

The remaining bulletins cover “normal” vulnerabilities that were disclosed in a coordinated fashion to Microsoft. The highest priority here goes to MS13-088, the Internet Explorer bulletin, which fixes 10 vulnerabilities. The bulletin is rated “critical” and covers all versions of Internet Explorer, from version 6 to 11. The vulnerabilities addressed could be abused to gain Remote Code Execution (RCE), all by simply browsing to a malicious website.

The next two bulletins both address file format vulnerabilities that allow for RCE when opening a specifically crafted malicious file:

• MS13-089 for the Windows GDI library – It fixes a vulnerability in the BMP/WMF conversion, which can be attacked through a malicious .WRI file in Wordpad.
• MS13-091 for Microsoft Word – It addresses vulnerabilies in Word and the WordPerfect converter parser.

The remaining vulnerabilities are all less critical, rated “important” and can be addressed in your normal patch schedule. One, MS13-092, stands out, however. It is a vulnerability in Microsoft virtualization product Hyper-V that can be used for DoS attacks against the Hyper-V host, and under certain circumstances, can allow for code execution in another Hyper-V guest machine. MS13-094 fixes a S/MIME e-mail flaw in Outlook that allows the attacker to perform a port scan on the internal network. Such an attack is very clever, but most likely it’s too complicated to be useful, for more info see this post by Alex Klink, also the discoverer of MS13-068. MS13-093 fixes a driver issue in AFD.sys that leaks information on memory locations, which is useful in conjunction with other more severe vulnerabilities. Finally, MS13-095 addresses a DoS condition that can be caused by the excessive nesting of X.509 certificates.

Microsoft also updated KB2755801, which indicates that it is delivering a new version of Adobe’s Flash player with Internet Explorer 10 (IE10). IE10 and Google Chrome both take responsibility for updating the Adobe Flash plugin. Users of other browsers can get information on the update which addresses two critical vulnerabilities here at the Adobe site ABSB13-026.

Overall, while it is only a medium-sized Patch Tuesday, pay special attention to the two 0-days and the Internet Explorer update. Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets.