Microsoft Fills 34 Holes

Wednesday, July 10, 2013 @ 11:07 AM gHale

Patch Tuesday brought out seven bulletins from Microsoft this month, which addresses 34 vulnerabilities. Six of the bulletins rate as “critical” and allow for Remote Code Execution.

Of the 34 holes in Windows, Internet Explorer, Office among other products, a Windows kernel vulnerability that affected the Windows privilege system for over a month ended up fixed.

Light, but Important Patch Tuesday
Timely Patch: Microsoft Closes Holes
Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available

Google security expert Tavis Ormandy discovered the kernel hole in May and didn’t wait too long before disclosing details. Shortly afterwards, an exploit followed that opens a Windows prompt at system privilege level – regardless of the user’s actual privilege level.

The hole, with CVE identification number CVE-2013-3660, affects all versions of Windows. Microsoft didn’t warn its customers about the security problem ahead of the patch day despite, according to the company, the hole being a part of targeted attacks.

Patch bulletin MS13-053 closes further critical security holes, including an issue in the code for processing TrueType fonts, and users should install it as soon as possible.

The .NET framework and Silverlight also struggle with specially crafted TrueType fonts, potentially allowing attackers to inject malicious code. Microsoft said two of the vulnerabilities the patch bulletin fixes already were out. The GDI+ graphics library contains a critical font processing issue that allows attackers to infect systems with malware. The library is part of quite a few Microsoft applications, all of which suffer from the issue: All versions of Windows, Office 2003 to 2010, Visual Studio .NET 2003 and Microsoft Lync.

Microsoft also released a collective update for Internet Explorer, a critical update for DirectShow and another for the Windows Media Format runtime.

There is a patch for Windows Defender to close a hole that allows attackers to execute code at system privilege level in Windows 7 and Server 2008 R2. To exploit the hole, however, potential attackers must be able to log into a system, and apparently they must also have the right to write to the highest level of the system disk. This is the only update that Microsoft has rated at the second highest threat level.

The company also said the developers of apps available in the Windows Store, Windows Phone Store, Office Store and Azure Marketplace will, in future, have 180 days to close “critical” and “important” vulnerabilities. A prerequisite for this grace period is there must not be a public exploit for the hole. Otherwise, Microsoft said, it will withdraw vulnerable apps at short notice if necessary.

Leave a Reply

You must be logged in to post a comment.