VERT Alert - October 8, 2013

Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-531 on Wednesday, October 9th.

MS13-080

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

MS13-081

OpenType Font Parsing Vulnerability

CVE-2013-3128

Windows USB Descriptor Vulnerability

CVE-2013-3200

Win32k Use After Free Vulnerability

CVE-2013-3879

App Container Elevation of Privilege Vulnerability

CVE-2013-3880

Win32k NULL Page Vulnerability

CVE-2013-3881

DirectX Graphics Kernel Subsystem Double Fetch Vulnerability

CVE-2013-3888

TrueType Font CMAP Table Vulnerability

CVE-2013-3894

MS13-082

OpenType Font Parsing Vulnerability

CVE-2013-3128

Entity Expansion Vulnerability

CVE-2013-3860

JSON Parsing Vulnerability

CVE-2013-3861

MS13-083

Comctl32 Integer Overflow Vulnerability

CVE-2013-3195

MS13-084

Microsoft Excel Memory Corruption Vulnerability

CVE-2013-3889

Parameter Injection Vulnerability

CVE-2013-3895

MS13-085

Microsoft Excel Memory Corruption Vulnerability

CVE-2013-3889

Microsoft Excel Memory Corruption Vulnerability

CVE-2013-3890

MS13-086

Memory Corruption Vulnerability

CVE-2013-3891

Memory Corruption Vulnerability

CVE-2013-3892

MS13-087

Silverlight Vulnerability

CVE-2013-3896

MS13-080

The first bulletin this month is also the one that people should patch first. This month’s 10 Internet Explorer CVEs contain two 0-days that are currently being used in targeted attacks, one of which was shared publicly before the patch was released. The public 0-day is already shipping in exploit frameworks and it’s likely that we’ll see this new vulnerability join it in the near future. Users would be smart to deploy this update as quickly as possible.

MS13-081

The second bulletin this month is reminiscent of a loot bag at a child’s birthday party. It’s an assortment of vulnerabilities in Windows Kernel-Mode Drivers that in years gone by would have been shipped as separate bulletins. In, what appears to be, an effort to keep their bulletin count low, Microsoft has started this trend of shipping bulletins that patch multiple products. This can be a logistical nightmare for system administrators trying to determine which patches to deploy to some systems.

MS13-082

Up next, we have the expected .NET bulletin. One of these vulnerabilities, CVE-2013-3128, is also patched in the previous bulletin (MS13-081). This is the first of two instances of a CVE split between multiple bulletins. This has happened a few times in recent history. The good news with this bulletin is that two of the three CVEs are denial of service issues, while the third one (code execution) only exists in XAML Browser Applications, which, by default, only execute in the Intranet zone within Internet Explorer.

MS13-083

The fourth bulletin this month resolves a single vulnerability affecting Windows Common Controls. Attackers could execute code in the context of the current user, which could mean the web server in certain circumstances. This vulnerability is exploitable against ASP.NET applications that use the Windows Common Controls and, more specifically, the DSA_InsertItem function.

MS13-084

MS13-084 is the bulletin that’s most likely to cause administrators to curl up into a ball and cry. If you managed to install last month’s SharePoint patch, you have another one ready to be installed. If you haven’t completed testing yet, you get to start testing all over with a new patch. Either way, it’s going to be another busy month for SharePoint Admins. This bulletin contains CVE-2013-3889, which is shared with MS13-0085.

MS13-085

Patch Tuesday just wouldn’t be the same without multiple Microsoft Office related patches and this bulletin helps to deliver on that. With two Excel vulnerabilities affecting all shipping versions of Excel, this patch may be higher on your list than other patches released this month.

MS13-086

The second last bulletin this month resolves two vulnerabilities in Microsoft Word. The good news here is that only older versions of Word (2007 and before) are affected, so users that have upgraded to the latest versions of Office won’t need to deal with this bulletin.

MS13-087

The final bulletin this month affects Silverlight and makes you wonder if there’s any reason to have Silverlight installed these days. Unless you have an organizational need for Silverlight, it may be better to start removing it from systems rather than deploying updates. It’s always a good idea to reduce your attack surface whenever possible.

Additional Information

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
    MS13-080        
Easy
             
Moderate
             
Difficult
             
Extremely Difficult
             
No Known Exploit
MS13-087   MS13-082
MS13-085
MS13-086
  MS13-083
MS13-084
MS13-081  
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remot
Access
Local
Privileged
Remote
Privileged