Security Advisor

IE and Exchange Server Flaws Highlight Microsoft's August Security Update

Most importantly this month is a cumulative fix for 11 flaws in all versions of Microsoft's Web browser.

• By Chris Paoli
• 08/13/2013

Microsoft's August Security Update arrived with three bulletin items rated "critical" and five designated "important," with a majority of them focusing on fixes for Windows.

However, even though Microsoft's OS received the majority of updates, IT's top concern should be bulletin MS13-059, a cumulative security update for all versions of Internet Explorer that addresses 11 privately reported issues -- the most severe leading a system open to remote code execution (RCE) attacks if gone unpatched.

According to Microsoft's Dustin Childs, the good news is that while Microsoft's Web browser has a high number of holes to fix, he and his team at the Microsoft Trustworthy Computing group have yet to see any of the vulnerabilities being exploited in the wild. That includes a fix that was discovered by during this year's Pwn2Own security challenge in February.

The next item that security experts advise should be next to be applied is bulletin MS13-061. This item takes care of three publically known issues in Microsoft Exchange Server 2007, 2010 and 2013. According to the bulletin summary, the holes are located in the "WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server" and could allow an RCE attack if a harmful Outlook Web App (OWA) was previewed.

According to Lamar Bailey, direct of security research and development at security firm Tripwire, many that are diligent in their patching of non-Microsoft security updates might not need to apply this item. "Everyone was worried about the critical Exchange updates but they are not as bad as we feared," said Bailey in an e-mailed statement. "The Exchange patch incorporates some of the patches that Oracle released in April and July that affect Outlook Web Access."

The final critical item of the month (bulletin MS13-060) addresses one issue in Windows' Unicode Scripts Processor. If gone unpatched, attackers could launch RCEs against a system when a malicious document or Web page with embedded OpenType fonts is open. Again, this item will have limited appeal as it only affects those still running Windows XP and Windows Server 2003.

Important Items
The five important bulletins, which all affect Windows, include the following:

• MS13-062: Addresses an elevation of privilege vulnerability in the Remote Procedure Call process. This affects all versions of Windows OS and Windows Server.
• MS13-063: Fixes one publically and three privately disclosed holes in the Windows kernel that could allow an elevation of privilege if a malicious application was directly downloaded and launched into a system.  
• MS13-064: This denial of service flaw fix in Windows' NAT Driver blocks attacks transmitted through harmful ICMP packets to users running Windows Server 2012.
• MS13-065: This item takes care of a private denial of service in the Internet Control Message Protocol version 6 (ICMPv6) protocol.
• MS13-066: The final bulletin takes care of an information disclosure flaw located in Windows' Active Directory Federation Services (AD FS). All Windows Server versions are affected.

Microsoft said some of these updates may require a restart to be fully applied. More information can be found on Microsoft's Bulletin Summary Web page.