• Subscriber/Sign In
  • Register
  • About Us
isssource.com
  • Home
  • Register
  • News
    • Careers
    • Government
    • Incidents
    • Industry Voices
    • Products and Services
    • Sending it Your Way
    • Technology Update
    • Views
  • Research
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • White Papers
  • Subscribe Now
  • Archives

Breaking News

  • AIChE: Security and Safety Unite
  • AIChE: Safety with a Cause
  • Attack Group Targets Healthcare, Manufacturing
  • 3 Nukes Shutting Down
  • Bedrock’s Security March Continues
  • TX Refinery Blast Emits Contaminants
  • BD Patches Pyxis
  • Vecna Clears VGo Robot Holes
  • Intel Updates 2G Modem Firmware
  • Advantech Working to Fix HMI Holes
  • AIChE: Safety: Doing More with Less
  • AIChE: Safety ‘Underpins’ Industry
  • AIChE: Safety Obsession to the Core
  • FDA to Hike Medical Device Security
  • Teen who Hacked CIA, DHS Heads gets 2 Years
  • Siemens Mitigation Plan for Simatic App
  • Read More

Chemical Safety Incidents

White Papers

  • A Year in Vulnerabilities
  • A Year in Threats
  • Year in Hunting and Responding
  • Finding the Competitive Edge
  • Going Digital
  • Visibility Leads to Knowledge
  • Tips to SCADA Security
  • Read More

Sending it Your Way

  • exida Explains
  • ABB: Process Automation Insights
  • Joel Langill: SCADAhacker
  • [In] Security Culture
  • Eric Byres: Practical SCADA Security
  • Department of Homeland Security
  • Jim Cahill
  • Dale Peterson
  • Industrial Defender
  • Wurldtech
  • Read More

Microsoft Addresses Security Bugs

Wednesday, August 14, 2013 @ 04:08 PM gHale

Some patches are more of a rush job than others and this month Microsoft took less than 30 days to incorporate an Oracle Outside In patch and fix a critically rated remote code execution bug in Exchange Servers.

Those are is among the eight bulletins released as part of Microsoft’s August 2013 Patch Tuesday security updates.

RELATED STORIES
Microsoft Fills 34 Holes
Microsoft Expands MAPP Program
Oracle Releases July Patches
Adobe Updates Flash, Shockwave, ColdFusion
Cisco Patches Security Appliances

Oracle patched Outside In with its July Critical Patch Update (CPU); the technology allows developers to turn unstructured file formats into normalized files. MS13-061 includes the Outside In Patch, which is part of the WebReady Document Viewing and Data Loss Prevention features on Exchange Servers.

Exploits could allow an attacker to remotely execute code if a user previews or opens a malicious file using Outlook Web App (OWA). The attacker would have the same privileges as the transcoding services on the Exchange Server; that would be the LocalService account for WebReady Document Viewing and the Filtering Management service for the DLP feature. Both, however, run with minimal privileges.

If a users is running Exchange and users have OWA, they should address this issue as quickly as possible. Microsoft also recommends a workaround that turns off Outside In document processing.

MS13-059 is another cumulative patch for Internet Explorer and repairs 11 remotely executable vulnerabilities in the browser, including a sandbox bypass vulnerability discovered and exploited by VUPEN researchers during the Pwn2Own contest in March. IE 6-10 is vulnerable to exploit; Microsoft said it is not aware of any active exploits for any of these vulnerabilities.

The IE rollup includes patches for nine memory corruption vulnerabilities, as well as fixes for a privilege escalation flaw in the way in which the browser handles process integrity level assignment and an information disclosure cross-site scripting vulnerability in EUC-JP character encoding, Microsoft said.

The final critical bulletin, MS13-060, patches a Windows vulnerability in the Unicode Scripts Processor; the patch corrects the way Windows parses certain OpenType font characteristics. An exploit could allow an attacker to run code remotely if a user opens a malicious document or visits a website that supports OpenType fonts.

The remaining bulletins all ended up rated important by Microsoft.
• MS13-062 patches a privilege escalation vulnerability in Windows RPC, correcting the manner in which Windows handles asynchronous RPC messages.
• MS13-063 is another privilege escalation issue in the Windows kernel. Four vulnerabilities ended up patched in this bulletin, the most severe of which enables elevated privileges if an attacker is able to log in locally and run a malicious application. In addition to memory corruption bugs, one of the vulnerabilities in this bulletin enables an attacker to bypass Address Space Layout Randomization (ASLR), a memory protection native to the OS.
• MS13-064 patches a denial of service vulnerability in Windows NAT Driver.
• MS13-065 also fixes a denial of service bug in ICMPv6; Vista, Windows Server 2008, Windows &, Windows 8, Windows RT and Windows Server 2012.
• MS13-066 patches an information-disclosure vulnerability in Active Directory Federation Services on Windows Server 2008 and Windows Server 2012.



Leave a Reply

Click here to cancel reply.

You must be logged in to post a comment.

« Feds Traffic Agency Hit by Hack
Malware Redirects to Exploit Kit Site »

  • Home
  • Register
  • View Spotlight Article
  • News
  • Research
  • Events
  • Login
  • Lost Password
  • Training & Certification
  • White Papers
  • Subscribe Now
  • About Us
  • Archive
  • Sitemap
  • Careers
  • Government
  • Incidents
  • Industry Voices
  • Products and Services
  • Sending it Your Way
  • Technology Update
  • Views
Policies
Copyright © 2018 isssource.com
Powered by Magic Members Membership Software