IE Fixes Are Top Priority for November's Patch Tuesday
Microsoft's monthly Security Update arrived today with three "critical" bulletin items and five "important" fixes -- all addressing 19 flaws in a number of Microsoft products and services.
According to security experts, IT's first priority should be to apply bulletin MS13-090, a cumulative ActiveX Kill Bits fix that takes care of one privately reported issue. According to Microsoft, a remote code execution (RCE) attack could be instigated if a malicious Web site that employs ActiveX controls is viewed in Internet Explorer.
"We are aware of limited attacks that exploit this issue," said Microsoft's Dustin Childs. "The code execution occurs at the level of the logged on user, so non-admin users would face less of an impact. The remote code execution vulnerability with higher severity rating be fixed in today's release and we advise customers to prioritize the deployment of MS13-090 for their monthly release."
The attacks being seen in the wild have targeted specific Web sites concerning national and international security policies, according to security firm FireEye, which alerted Microsoft of the attacks last week. According to the firm, the technique used and the individuals responsible are the same that were connected to attacks against Japanese corporations in September.
"Furthermore, the attackers loaded the payload used in this attack directly into memory without first writing to disk -- a technique not typically used by advanced persistent threat (APT) actors," said FireEye. "This technique will further complicate network defenders' ability to triage compromised systems, using traditional forensics methods."
After this bulletin has been applied, the next priority should be bulletin MS13-088, a cumulative Internet Explorer fix that hits every supported version of Microsoft's Web browser. The most severe, according to Microsoft, could lead to a remote code execution (RCE) attack if a malicious link was opened with any version of Internet Explorer.
While cumulative IE updates have typically gotten top-bill on the priority list in previous months, due to there being no active attacks exploiting any of the 10 bugs this bulletin addresses, this should be prioritized second after the bulletin that addresses the active exploit.
The final critical item of the month (bulletin MS13-089) affects every supported version of Windows and patches a privately reported RCE flaw in WordPad. While there's been no active exploits seen in the wild, it wouldn't be too hard for attackers to take advantage of the flaw, according to Paul Henry, security and forensics analyst at security firm Lumension.
"We have seen this type of issue before," said Henry in an e-mailed statement. "In previous related Windows Graphics Device Interface (GDI) issues, the vulnerability was caused by improper parsing of TrueType fonts (TTF) in shared content. The vulnerability could be exploited if an attacker crafts a malicious file or website and convinces a user to download the file or open an attachment. The attacker would receive the same level of privilege as the running application that was using the GDI interface."
Microsoft's November "important" bulletins include:
- MS13-091: Addresses three flaws that could lead to an attack if a malicious WordPerfect file is opened with all supported versions of Office.
- MS13-092: Affecting only Windows 8 and Windows Server 2012, this Hyper-V flaw fix blocks an attacker from gaining an elevation of privilege in virtual machines.
- MS13-093: This information disclosure flaw fix affects all 64-bit versions of Windows that could only be attacked with valid login credentials.
- MS13-094: Fixes a publicly disclosed Outlook flaw that could lead to information disclosure if a harmful e-mail was opened by a user.
- MS13-095: The final bulletin of the month fixes how Windows views digital signatures and affects all versions of the OS.
Many of these bulletins may require a system restart to be fully applied. More information on November's security update can be found on the Microsoft Security Bulletin Summary page.