Microsoft Patches 23 Vulnerabilities in Windows, IE, Exchange
Today Microsoft released 8 security bulletins addressing 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange Server.
The first update is MS13-059, a cumulative update for Internet Explorer, and patches 11 separate vulnerabilities, 9 of which are rated critical on one or more platforms. The 9 critical vulnerabilities are all memory corruption vulnerabilities. The other 2 are only rated as Moderate severity on some platforms for privilege escalation or information disclosure.
MS13-060 (Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution) affects only Windows XP and Server 2003. "The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts."
MS13-061 describes 3 critical vulnerabilities in all currently-supported versions of Exchange Server. The actual vulnerability is in a set of Oracle libraries, called Outside In, which assist in document viewing for users of Outlook Web Access in a web browser. The update installs fixed versions of the Oracle libraries. These vulnerabilities have been publicly disclosed already, but Microsoft states that "Exploit code would be difficult to build".
MS13-062 is a single privilege escalation vulnerability which affects the RPC handling code in all versions of Windows and is rated Important.
MS13-063 describes 4 vulnerabilities, all rated Important, affecting most versions of Windows. One allows bypass of ASLR (Address Space Layout Randomization), a technique used by Windows to defeat many attacks. The other 3 are kernel corruption vulnerabilities which could allow elevation of privilege. These vulnerabilities have been publicly disclosed already. For reasons unclear to me, Microsoft does not provide an exploitability index number for the ASLR bypass vulnerability.
MS13-064 is a single denial of service vulnerability in the Windows Server 2012 NAT Driver. A specially-crafted ICMP packet could cause the service to stop responding.
MS13-065 is a single denial of service vulnerability in the IPv6 stack in all versions of Windows except XP and Server 2003. This vulnerability is also triggered by a specially-crafted ICMP packet.
MS13-066 is an information disclosure vulnerability in the Active Directory Federation Services (AD FS) in all Intel-based versions of Windows Server other than Server Core. According to Microsoft, "…the vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance."
The first is an update to Windows 8 and RT 'to improve protection functionality in Windows Defender'. The second is for Windows 8, RT and Server 2012 'to resolve issues in Windows'. The third is for all current versions of Windows, also 'to resolve issues in Windows'.
Brian Gorenc, Manager, manager of HP Security Research's Zero Day Initiative, added this this observation:
In today's patch release, Microsoft continues to fix weaknesses demonstrated by researchers at HP's Pwn2Own competition earlier this year.
One of the issues Microsoft is patching (CVE-2013-2556) exists in the Windows Kernel which can be leveraged by attackers to bypass operating system mitigations like Address Space Layout Randomization (ASLR). This specific flaw occurs as a result of the predictable address of a data structure, which can be leveraged to leak memory addresses to an attacker.
Microsoft is also hardening Internet Explorer's sandbox by correcting the bypass vulnerability demonstrated by VUPEN Security at Pwn2Own. This vulnerability can be utilized by attackers to execute code outside the sandbox.