This week Microsoft released two critical Internet Explorer updates, and everyone should update IE as soon as possible. MS13-038 contains the fix for CVE-2013-1347, the bug first discovered in the Department of Labor hack earlier this month.

“The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft stated in the Bulletin.

“This security update is rated Critical for Internet Explorer 8 on Windows clients and Moderate for Internet Explorer 8 on Windows servers. This security update has no severity rating for Internet Explorer 9.”

Since we have two critical IE bulletins this month, it seems like MS13-038 might have been scheduled for a possible out-of-band release if it didn’t line up with the normal patch schedule. Either way, kudos to Microsoft for the fast turnaround on a fix for CVE-2013-1347 — official patches are definitely better than ‘fix-its’.

MS13-037 is the other critical IE patch, and covers vulnerabilities reported from PWN2Own, ZDI, and various other sources, so install this right away as well.

“The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft stated.

“This security update is rated Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 on Windows servers.”

MS13-039 could arguably be the most important bulletin this month, depending on your business. This bulletin affects Windows Server 2012 and can be used for a denial of service attack. Many businesses use Server 2012 on mission critical servers in the datacenter, so outages could have a huge impact if your business depends on uptime  or has to deliver against an SLA.

This bug does not require a sophisticated attack so we’ll see an exploit the next few weeks.  Get this one patched ASAP. The other bulletins cover Office Applications, Windows Writer and Lync but the impact pales in comparison to the IE and  Server 2012 issues.

 

Image courtesy of ShutterStock

Categories

Tags , , , , , , , ,


Leave a Reply

Lamar Bailey

Lamar Bailey has contributed 7 posts to The State of Security.

View all posts by Lamar Bailey >