Timely Patch: Microsoft Closes Holes

Wednesday, May 15, 2013 @ 03:05 PM gHale

Yes, it is another Patch Tuesday and this time Microsoft patched a big – and recent – vulnerability for the Internet Explorer 8 bug that suffered exploitation in watering hole attacks carried out against the U.S. Department of Labor (DoL) website and nine others worldwide.

The Patch Tuesday security updates also include a fix for IE vulnerabilities exploited during the Pwn2Own Contest earlier this year.

Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available
Zero Day: IE 8 Falls Victim
DoL Site Spreads PoisonIvy

Details on the DoL attack quickly emerged following the initial reports May 1 the agency’s Site Matrices Exposures site suffered compromise and likely targeted Department of Energy (DoE) researchers working on nuclear weapons programs.

This week a site in Cambodia was also serving malware exploiting IE 8 vulnerabilities targeting workers for the United States Agency for International Development (USAID).

Microsoft urged users still on IE 8 to patch the browser immediately, or upgrade to newer versions.

Microsoft updated IE in every Patch Tuesday update this year, including an out-of-band patch in January that resolved a vulnerability used in another watering hole attack.

Microsoft resolves the IE 8 bug in MS13-038, one of 10 bulletins released. The critical update supplants a temporary Fix-It mitigation Microsoft released last week, a MSHTML Shim Workaround for CVE-2013-1347. The vulnerability is present in IE 8 only and is a use-after-free memory corruption flaw that enables remote code execution, and while IE 8 is an old version of the browser, it still has the highest market share with 23 percent, according to Net Market Share.

MS 13-037, meanwhile, also has researchers concerned now that details are public. It is a cumulative update for IE that addresses the Pwn2Own vulnerabilities exploited by security company VUPEN.

VUPEN Chief Executive Chaouki Bekrar said his researchers used four Zero Day exploits against Microsoft products during Pwn2Own, including a memory corruption, sandbox and ASLR-bypass bugs affecting IE 6-10.

MS13-039, meanwhile, rates as important, but could lead to a denial-of-service condition on boxes running Windows’ IIS webserver software. The vulnerability could be disruptive to organizations running remote services or Active Directory integrations on http.sys.

The remainder of the bulletins rated important by Microsoft and include a number of remote code execution, information leakage and privilege escalation bugs.

MS13-40: Patches a spoofing vulnerability the .NET framework that could allow an attacker to modify the contents of an XML file
MS13-41: Fixes a flaw on Microsoft Lync that could enable remote code execution if an attacker tricks a user into viewing malicious content.
MS13-42: Takes care of vulnerabilities in Microsoft Publisher that could allow an attacker to remotely execute code if a user opens a malicious Publisher file.
MS13-43: Patches a Word flaw that could give an attacker the same privileges as the user on a compromised machine.
MS13-44: Is a Visio vulnerability that could lead to information disclosure if a user opens an infected Visio file.
MS13-45: Repairs a Windows Essentials vulnerability that could lead to information disclosure if a user opens Windows Writer using a malicious URL.
MS13-46: Is a privilege escalation vulnerability in Kernel-Mode Drivers that happens if an attacker logs onto a system with valid credentials and runs a malicious application.

Leave a Reply

You must be logged in to post a comment.