Here in Philadelphia this month the local weather people are calling it "Aug-tober" due to the rather warm temperatures that have continued well into October. This month’s Patch Tuesday, however, is nothing like August at all. For one, Trustwave SpiderLabs found one of the zero-days discussed in this batch of bulletins (we have a separate write up for that one here). In addition, four of the bulletins this month are critical and seven of them result in remote code execution! With any luck we will have "Aug-vember" weather-wise, but hopefully we won’t experience a repeat of October’s Patch Tuesday.
Remote Code Execution in Internet Explorer
CVE-2013-3875 CVE-2013-3882 CVE-2013-3885 CVE-2013-3886
This is the biggie that everyone has been worried about that was first announced last month and for which Microsoft issued a Fix It. The good thing is that if you already applied the Fix It you do not need to undo the changes before applying this update. The issue with all ten of these vulnerabilities has to do with how Internet Explorer handles objects in memory; if items in memory get corrupted in a certain way an attacker could cause that corruption to execute arbitrary code. There are nine vulnerabilities covered in this bulletin, which impact all versions of Internet Explorer from 6 through 11. Some of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage. Getting someone to view a ‘specially crafted webpage’ is a lot easier than it sounds and is often accomplished by sending someone a simple email with a link in it.
Attackers are already using some of these vulnerabilities to compromise victim machines. In fact, Trustwave SpiderLabs found bad guys exploiting both CVE-2013-3879 and CVE-2013-3897. We have a separate write up for these two CVE’s here, or check Microsoft's write up here.
Remote Code Execution in Kernel-Mode Drivers
CVE-2013-3128 CVE-2013-3200 CVE-2013-3879 CVE-2013-3880
CVE-2013-3881 CVE-2013-3888 CVE-2013-3894
While this bulletin is also rated critical it hasn’t yet been seen in the wild being used to attack people, yet. Microsoft does think this one would be pretty easy to exploit and by the time you read this bad guys are probably already working on trying to figure out how to do just that. While the issue here is with the cryptically named "kernel-mode drivers," you may be more familiar with OpenType or TrueType fonts. The flaws here impact all supported releases of Microsoft Windows except Windows 8.1, Windows Server 2012 R2, and Windows RT 8.1. While some of these CVEs only result in privilege escalation other CVEs in this bulletin will result in remote code execution. There are a few unusual cases where you may not see this update being offered in Windows Update depending on your particular system configuration. If this concerns you check the KB article (KB2870008) for more information. Note that CVE-2013-3128 is listed both here and in MS13-082 because it also impacts the .NET Framework.
Remote Code Execution in .NET Framework
CVE-2013-3128 CVE-2013-3860 CVE-2013-3861
This one is similar to MS13-081 as one of the CVEs, CVE-2013-3128, also deals with malformed OpenType fonts - only this time the issue is in the .Net Framework and not in the kernel mode drivers. The other two CVEs deal with XML digital signatures and document type definitions in JSON data encodings and are rated Important as opposed to Critical. The good news is that exploiting any of these three would be rather difficult, though not impossible, but don’t expect the bad guys to take advantage of these any time soon.
Remote Code Execution in Windows Common Control Library
COMCTL32.DLL implements a wide variety of standard Windows controls, such as File Open, Save, and Save As dialogs, progress bars, and list views. However, if an attacker sends a specially crafted web request to an ASP.NET web application running on an affected system they could be able to run arbitrary code without authentication. The good thing here, if there is a good thing is that this only impacts 64-bit versions of Windows. So there's one less patch to download and install for all those desktops running 32-bit Vista or Windows 7 or 8, or, heaven forbid, still on XP SP3! But if you have servers or desktops that have been updated to 64-bit you will definitely need to install this patch.
Remote Code Execution in Sharepoint Server
While this bulletin impacts Sharepoint, CVE-2013-3889 is actually listed in two bulletins - MS13-084 and MS13-085. Since exploiting this vulnerability involves using Microsoft Excel to corrupt memory used by Sharepoint it is listed in two different bulletins to fix both products. The update helps to validate data when parsing specially crafted Office files and helps to change the configuration of SharePoint pages to help provide additional protection against click-jacking attacks. While this attack has not yet been observed in the wild, it's expected to be real soon now.
Remote Code Execution in Microsoft Excel
This bulletin fixes CVE-2013-3889 as mentioned in the previous update and also addresses CVE-2013-3890. Both vulnerabilities could allow an attacker to take complete control of a system with a specially crafted Excel file. This patch should be applied to all supported version of Excel (except 2003 SP3), Microsoft Office Compatibility Pack, as well as, Microsoft Office for Mac 2011 so Mac users should check for updates as well.
Remote Code Execution in Microsoft Word
These are both memory corruption vulnerabilities that can be found in specially crafted Microsoft Word files. The update fixes the vulnerabilities by correcting the way that Microsoft Word parses specially crafted files and by correcting the manner in which the XML parser used by Word resolves external entities within a specially crafted file.
Information Disclosure in Silverlight
If an attacker can convince a user to view a website that contains a specially crafted Silverlight application that is designed to exploit this vulnerability, perhaps via a targeted phishing email, then the attacker may be able to learn confidential information about the user. The update fixes how Microsoft Silverlight checks memory pointers when accessing certain Silverlight elements.
Now install those patches as soon as you can and maybe you can get out and enjoy some Aug-tober while it lasts!