Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-531 on Wednesday, October 9th.

MS13-080

Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS13-081

OpenType Font Parsing Vulnerability CVE-2013-3128
Windows USB Descriptor Vulnerability CVE-2013-3200
Win32k Use After Free Vulnerability CVE-2013-3879
App Container Elevation of Privilege Vulnerability CVE-2013-3880
Win32k NULL Page Vulnerability CVE-2013-3881
DirectX Graphics Kernel Subsystem Double Fetch Vulnerability CVE-2013-3888
TrueType Font CMAP Table Vulnerability CVE-2013-3894

MS13-082

OpenType Font Parsing Vulnerability CVE-2013-3128
Entity Expansion Vulnerability CVE-2013-3860
JSON Parsing Vulnerability CVE-2013-3861

MS13-083

Comctl32 Integer Overflow Vulnerability CVE-2013-3195

MS13-084

Microsoft Excel Memory Corruption Vulnerability CVE-2013-3889
Parameter Injection Vulnerability CVE-2013-3895

MS13-085

Microsoft Excel Memory Corruption Vulnerability CVE-2013-3889
Microsoft Excel Memory Corruption Vulnerability CVE-2013-3890

MS13-086

Memory Corruption Vulnerability CVE-2013-3891
Memory Corruption Vulnerability CVE-2013-3892

MS13-087

Silverlight Vulnerability CVE-2013-3896

 

MS13-080

The first bulletin this month is also the one that people should patch first. This month’s 10 Internet Explorer CVEs contain two 0-days that are currently being used in targeted attacks, one of which was shared publicly before the patch was released. The public 0-day is already shipping in exploit frameworks and it’s likely that we’ll see this new vulnerability join it in the near future. Users would be smart to deploy this update as quickly as possible.

MS13-081

The second bulletin this month is reminiscent of a loot bag at a child’s birthday party. It’s an assortment of vulnerabilities in Windows Kernel-Mode Drivers that in years gone by would have been shipped as separate bulletins. In, what appears to be, an effort to keep their bulletin count low, Microsoft has started this trend of shipping bulletins that patch multiple products. This can be a logistical nightmare for system administrators trying to determine which patches to deploy to some systems.

MS13-082

Up next, we have the expected .NET bulletin. One of these vulnerabilities, CVE-2013-3128, is also patched in the previous bulletin (MS13-081). This is the first of two instances of a CVE split between multiple bulletins. This has happened a few times in recent history. The good news with this bulletin is that two of the three CVEs are denial of service issues, while the third one (code execution) only exists in XAML Browser Applications, which, by default, only execute in the Intranet zone within Internet Explorer.

MS13-083

The fourth bulletin this month resolves a single vulnerability affecting Windows Common Controls. Attackers could execute code in the context of the current user, which could mean the web server in certain circumstances. This vulnerability is exploitable against ASP.NET applications that use the Windows Common Controls and, more specifically, the DSA_InsertItem function.

MS13-084

MS13-084 is the bulletin that’s most likely to cause administrators to curl up into a ball and cry. If you managed to install last month’s SharePoint patch, you have another one ready to be installed. If you haven’t completed testing yet, you get to start testing all over with a new patch. Either way, it’s going to be another busy month for SharePoint Admins. This bulletin contains CVE-2013-3889, which is shared with MS13-0085.

MS13-085

Patch Tuesday just wouldn’t be the same without multiple Microsoft Office related patches and this bulletin helps to deliver on that. With two Excel vulnerabilities affecting all shipping versions of Excel, this patch may be higher on your list than other patches released this month.

MS13-086

The second last bulletin this month resolves two vulnerabilities in Microsoft Word. The good news here is that only older versions of Word (2007 and before) are affected, so users that have upgraded to the latest versions of Office won’t need to deal with this bulletin.

MS13-087

The final bulletin this month affects Silverlight and makes you wonder if there’s any reason to have Silverlight installed these days. Unless you have an organizational need for Silverlight, it may be better to start removing it from systems rather than deploying updates. It’s always a good idea to reduce your attack surface whenever possible.

Additional Information

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
MS13-080
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS13-087 MS13-082
MS13-085
MS13-086
MS13-083
MS13-084
MS13-081
Exposure
Local
Availability
Local
Access
Remote
Availability
Remot
Access
Local
Privileged
Remote
Privileged