Security Advisor

'Critical' Windows and Internet Explorer Flaws Fixed in July's Patch Tuesday

This month's Microsoft Security Update also comes with word of a new policy for vulnerable apps in the Windows Store.

Microsoft released July's Security Update today that includes six "critical" items and one "important" bulletin.

IT should not hesitate to apply bulletin MS13-053 first and foremost, according to security experts. The fix addresses two publicly disclosed and six privately disclosed vulnerabilities in the Windows kernel that could lead to remote code execution (RCE) attacks if gone ignored. In fact, not only could these holes lead to attacks, but hackers are already busy exploiting these holes in the wild thanks to a prematurely leaked disclosure associated with this bulletin.

"This is the vulnerability that was publicly disclosed by Google researcher Tavis Ormandy a few months ago," said Paul Henry, security and forensic analyst at Lumension, in an e-mailed statement. "Thanks to that irresponsible disclosure, it is under limited active attack."

Henry went on to discuss that if the disclosure by Ormandy went through the correct channels in Microsoft (instead of being broadcast online), all attacks exploiting the kernel hole would have been avoided.

Up next on your patching docket should be the Internet Explorer cumulative fix (bulletin MS13-055). This one item looks to take care of a whopping 17 vulnerabilities in every currently supported version of the browser (minus the recently released Internet Explorer 11 Preview). Many of the vulnerabilities could have attackers gaining access to your system if a harmful Web site is visited.

While Microsoft has seen no attacks associated with any of the IE holes as of yet, it does come packed with a vulnerability rating of 1, meaning that it's not a question of if an attacker will figure out how to take advantage of the vulnerabilities, but when.

Noteworthy this month is that for the first time, Microsoft is using multiple bulletins to address a single Common Vulnerabilities and Exposures (CVE) item. Critical items MS13-052, and MS13-054 (and previously discussed item MS13-053) are aimed at fixing the same TrueType font processing error in different components.

MS 13-052 looks to handle the issue in .NET Framework and MS-13-054 does the same in Windows, Office, Lync and Visual Studio. If gone unpatched, an RCE attack can be leveraged against a user if a file with malicious TrueType font files embedded was opened and shared.

In dividing this fix into three different bulletins, Microsoft is looking to address a vocal concern IT has had in the past when it comes to the patching process, said Rapid7's Ross Barrett. "By splitting this out, Microsoft is directly addressing a complaint about previous 'rolled up' advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed."

The final two items, bulletin MS13-056 and MS13-057 take care of additional RCE headaches, this time in Microsoft DirectShow and Windows Media Format Runtime. Windows users who open a malicious image file or video are opening the door for hackers to enter. All currently supported versions of Windows OS and Windows Server will be affected by these two. However, due to the fact that attacks are not yet being seen exploiting these issues, it is recommended that these two items be applied after the previous four are installed.

New Security Policy for Windows Store Apps
Along with the batch of fixes, Microsoft also took some time during this busy Patch Tuesday to outline a new security procedure for programs available in Windows 8's Windows Store, Windows Phone Store, Azure Store and Office Store. Effective immediately, app developers must fix vulnerable items as soon as possible, under threat of having it removed from the respective store.

"Starting today, developers will be required to submit an updated app within 180 days of being notified of a Critical or Important severity security issue," wrote Microsoft Trustworthy Computing's Dustin Childs. "This assumes the app is not currently being exploited in the wild."

If it is posing an immediate threat to users, Microsoft reserves the right to pull the item without notification.

More information on July's security update can be found here.

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube