05-20-13 | Blog Post
Last week Microsoft had ten different vulnerabilities patched, including another cumulative Internet Explorer update. Two of the patches are considered critical, with the other eight labelled ‘Important’.
The patch for Internet Explorer is meant to resolve eleven different vulnerabilities found within the browser. These vulnerabilities could result in remote code execution if the user lands on a specially made web page using Internet Explorer, allowing the attacker to gain the same rights as the user. This affects Internet Explorer 6-10 on Windows clients.
The other critical update resolves one vulnerability disclosed to take the place of a temporary fix Microsoft announced last week. It also allows remote code execution if a user views a malicious website within the browser. This vulnerability may only affect Internet Explorer 8, which is an older version of the browser, but it happens to currently be the most used version. An attacker that exploits this vulnerability could end up with the same rights as the user. Microsoft mentions that one way to lower the effect of remote code execution attacks is to configure user rights on a basis of need. If a user isn’t dependent on certain administrative rights in order to fulfill their duties, it would be best to pare down their access.
The updates labelled important are split into a few different groups:
Denial Of Service:
MS13-039 is an update to all supported editions of Windows 8 and Windows Server 2012. The vulnerability could allow a DoS situation if an attacker sends a specifically made HTTP packet to an affected server or client. Microsoft is resolving this by correcting the way that HTTP.sys handles certain HTTP headers. This patch will require a restart.
Spoofing:
This update is for a vulnerability within the .NET Framework. Successfully exploited, an attacker could change the contents of an XML file without affecting the signature of the file. It would allow them to function as an authentic user. Microsoft is re-evaluating how the .NET Framework validates signatures in XML files and policy requirements for authentication.
Remote Code Execution:
There are three different ‘important’ vulnerabilities that are resolved that could allow an attacker the rights of an appropriate user. The patches affect Microsoft Publisher, Microsoft Lync, Microsoft Word 2003, and Microsoft Word Viewer. These updates may require the user to restart.
Information Disclosure:
Two patches resolve information disclosure vulnerabilities. The first is for Microsoft Visio, and was fixed by Microsoft changing the way the XML parser resolves outside entities within specially made files. This vulnerability would not be able to change the rights of an attacker, but would be able to give them more information that could aid in further compromising the system. The other patch is for Windows Writer. An attacker could successfully exploit this vulnerability by having a user visit a website and click on a specially crafted URL. The attacker could then override proxy settings for Writer, and overwrite files within that system. Both of these updates may require a restart.
Elevation of Privilege:
The last update is to fix an elevation of privilege vulnerability within Windows XP, Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012, and Windows RT. This exploit would allow the elevation if an attacker ran a specially crafted application on the system. They would have to have proper login credentials in order to perform this exploit, and would also need to be locally logged in. This update will require a restart.
Resource:
Microsoft Security Bulletin for May
