Security Advisor

Internet Explorer Flaws Fixed in Microsoft's June Security Patch 

The cumulative security bulletin for Microsoft's Web browser addresses 19 separate flaws.

• By Chris Paoli
• 06/11/2013

Microsoft's June Security Update arrived today with only one bulletin item rated "critical" -- a cumulative update for Internet Explorer.

While this month's patch is small on the number of bulletins (four "important" items to go along with the IE fix), the cumulative security update (bulletin MS13-047) does address 19 different vulnerabilities across multiple versions of Microsoft's Web browser.

The most severe could lead to a remote code execution (RCE) attack if a malicious Web link is clicked. Microsoft said that it has not seen any of the flaws being exploited by attackers and the high number of vulnerabilities associated with the bulletin should not be of major concern to users, according to Paul Henry, security and forensic analyst for Lumension.

"This bulletin accounts for the bulk of the CVEs being fixed this month -- 19 of 23," commented Henry in an e-mailed statement. "Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system. An attacker could not get in without some user participation. Many of the successful hacks we've seen lately have been through phishing attacks, so remember to take the time to educate your users about security and mitigation."

Important Items
Microsoft recommends that the next priority be bulletin MS13-051, an important RCE fix for Microsoft Office 2003 and Office for Mac 2011. This should be high on the priority list for IT because there have been a limited number of attacks already seen by Microsoft using the flaw. However, because it only affects two older versions of Microsoft Office, the majority of users are safe from attack.

The final three important bulletins include the following:

• MS13-048: Addresses an issue in the Windows kernel that could lead to an information disclosure if a malicious application was manually loaded on a system.
• MS13-049: Blocks another Windows kernel flaw, this time a denial of service threat that could occur if a harmful data packet was sent to an unprotected server.
• MS13-050: This elevation of privilege flaw fix in Windows closes a bug that could lead to an attack if a printer connection was deleted by an unauthorized individual.

Microsoft Security Advisory 2854544        
Microsoft's June patch also came equipped with a Security Advisory that announces the arrival of some of Windows 8's once-exclusive security features concerning how the company handles digital certificates in Windows and improved cryptography features to earlier versions of the OS.

"This functionality, initially built into Windows 8, Windows Server 2012 and Windows RT, is now available for Windows Vista through Windows 7," wrote Microsoft Trustworthy Computing's Dustin Childs in a blog post. "Over the coming months, we'll be rolling out additional updates to this advisory -- all aimed at bolstering Windows' cryptography and certificate-handling infrastructure. Our efforts here aren't in response to any specific incident; it's the continuing evolution of how we handle digital certificates to ensure the safest possible computing environment for our customers."

More information on today's security release can be found here.