Microsoft Addresses Security Bugs

Some patches are more of a rush job than others and this month Microsoft took less than 30 days to incorporate an Oracle Outside In patch and fix a critically rated remote code execution bug in Exchange Servers.

Those are is among the eight bulletins released as part of Microsoft’s August 2013 Patch Tuesday security updates.

RELATED STORIES
Microsoft Fills 34 Holes
Microsoft Expands MAPP Program
Oracle Releases July Patches
Adobe Updates Flash, Shockwave, ColdFusion
Cisco Patches Security Appliances

Oracle patched Outside In with its July Critical Patch Update (CPU); the technology allows developers to turn unstructured file formats into normalized files. MS13-061 includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers.

Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.

If a users is running Exchange and users have OWA, they should address this issue as quickly as possible. Microsoft also recommends a workaround that turns off Outside In document processing.

MS13-059 is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.

The IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.

The final critical bulletin, MS13-060, patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.

The remaining bulletins all ended up rated important by Microsoft.
• MS13-062 patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages.
• MS13-063 is another privilege escalation issue in the Windows kernel. Four vulnerabilities ended up patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.
• MS13-064 patches a denial of service vulnerability in Windows NAT Driver.
• MS13-065 also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &, Windows 8, Windows RT and Windows Server 2012.
• MS13-066 patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012.