News

Microsoft's October Patch Includes 'Critical' IE Fix

• By Chris Paoli
• 10/08/2013

October marks the 10-year anniversary of Microsoft's first Patch Tuesday. And in celebrating a decade of Patch Tuesdays, Redmond is gifting IT four bulletin items rated "critical" and four "important" for October's monthly rollout.

This month's security update looks to fix 26 different vulnerabilities and, as is the norm, is highlighted with a cumulative fix for Internet Explorer (bulletin MS13-080). The bulletin takes care of one publicly disclosed and nine privately reported issues in Microsoft's Internet browser, including a fix for the IE zero-day flaw that Microsoft alerted users to in September. IT should make this a top priority as it affects all versions of IE, including Internet Explorer 11 running on the soon-to-be-released Windows RT 8.1.

"It's been an interesting month for the Microsoft Security watchers of the world," said Ross Barrett, senior manager of security engineering at Rapid7 in an e-mailed statement. "If your job depends on securing systems running Windows, you should be eagerly awaiting the patch for the Internet Explorer zero-day vulnerability in today's Patch Tuesday (MS13-080). Exploitation of this vulnerability was detected first in targeted, regionally restricted exploitation, and then later in broader use once the exploit code spread to various public sites."

Barrett also said bulletin MS13-080 takes care of another zero-day threat that had not been previously advertised by Microsoft. So even if you had applied the "fix-it" that was provided in September for the first zero-day flaw, that should not provide an excuse to hold up applying this item as soon as possible.

The second critical item of the month, bulletin MS13-081, fixes seven flaws in the Windows kernel. If gone unpatched, the most serious cconsequence could be a possible remote code execution attack if malicious OpenType or Truefont font files are previewed. While these seven vulnerabilities have yet to be seen being exploited in the wild, it still comes with the highest Microsoft severity level due to both the ease that attackers could turn a working exploit loose in the public and the fact that it affects every version of Windows and Windows Server.

Bulletin MS13-083, a fix for Windows, should be the third priority for IT this Patch Tuesday. Craig Young, security researcher at Tripwire said this item is especially important for system admins.

"The underlying flaw is within common controls that can potentially be attacked through means other than maliciously crafted RTF documents," said Young. "Another aspect of this bug which raises the importance of this update is that RTF exploits tend to provide a vector for the bypass of Address Space Layout Randomization (ASLR).  ASLR is a mitigation technology which makes it more difficult for an attacker to pre-determine memory address information needed to build a functional exploit."

The final critical item for October, bulletin MS13-082, addresses two issues in Microsoft .NET Framework that could lead to an RCE attack if a harmful Web site containing a specially crafted OpenType font is viewed in a browser supporting XBAP applications. This item affects all versions of Windows except Windows Server 2012 R2 and Windows RT 8.1.

Important Items
Microsoft's less-serious "important" bulletins include:

• MS13-084: Takes care of two RCE flaws in Microsoft Office that could be exploited if a harmful Office file is opened in an affected version of SharePoint, Office Services and Web Apps.
• MS13-085: This bulletin again takes care of two RCE Office flaws that are found in Office 2007, 2010 and 2013.
• MS13-086: As with the previous two items, this fixes two more RCE flaws in Office. This time, the vulnerabilities are isolated to Office 2003 SP3 and Office 2007 SP3.
• MS13-087: The final item of the month fixes one privately reported information disclosure flaw in Microsoft Silverlight 5.

Many of these bulletins may require a system restart to be fully applied. More information on October's security update can be found on the Microsoft Security Bulletin Summary page.