Most of us thought this would be an easy month with only eight bulletins to deal with and only three listed as critical. Unfortunately, there is evidence of one vulnerability mentioned in those bulletins being actively exploited in the wild and a second zero-day, which isn't even covered in this month's bulletins, being used by bad guys.
What has become known as the TIFF zero-day detailed in Security Advisory 2896666 was not patched this month. Microsoft released a Fix-It to help mitigate this actively exploited vulnerability. An actual patch for it will be out as soon as it is ready and will probably be an out-of-band patch that will come out well before December’s Patch Tuesday.
The second zero-day was found just days ago, and it is also being actively exploited in the wild. However in this case Microsoft was able to include a full patch in this month's batch of bulletins. You can read about it as MS13-090 down below.
Remote Code Execution in Internet Explorer
CVE-2013-3871 CVE-2013-3871 CVE-2013-3908 CVE-2013-3910 CVE-2013-3911
CVE-2013-3914 CVE-2013-3915 CVE-2013-3916 CVE-2013-3917
The patch is offered as a cumulative security update for Internet Explorer and fixes ten privately reported vulnerabilities--the most severe of which could allow remote code execution if a user visits a specifically crafted webpage. The update is critical for all currently supported versions of Internet Explorer including Internet Explorer 8.1, 11 and RT Preview editions. The update fixes how Internet Explorer handles special characters in cascading style sheets, print previews and objects in memory. While none of these issues have yet been seen exploited in the wild, Microsoft does expect exploit code to be produced rather soon.
Remote Code Execution in Graphics Device Interface
You don’t see vulnerabilities involving Word Pad every day and definitely not critical ones that can result in remote code execution. The problem lies with how the Graphics Device Interface handles integer calculations when processing image files. So if an attacker can get you to open a specially crafted Windows Write File in Word Pad they can run their own code, which can lead to all sorts of nasty things. While an exploit using this vulnerability has not yet been seen in the wild, it shouldn’t be too difficult to write one. So get those patches applied as soon as you can.
Remote Code Execution in Active X Kill Bits
This one is already being actively exploited in the wild. It was first discovered by Fire Eye a few days ago. Do not confuse this patch for the Active X kill bits zero-day with the patch for the zero-day that impacts TIFF files. The patch for the TIFF file zero-day should be available soon.
Viewing a specially crafted webpage with Internet Explorer that instigates the InformationCardSigninHelper Class ActiveX control (icardie.dll) could execute arbitrary code remotely. This patch addresses the vulnerability by setting kill bits so that the vulnerable control does not run in Internet Explorer.
Remote Code Execution in Microsoft Office
CVE-2013-0082 CVE-2013-1324 CVE-2013-1325
Remember Word Perfect? Well, if a specially crafted Word Perfect file is opened in Microsoft Office it could result in remote code execution. This patch is available for Microsoft Office 2003, 2007, 2010, 2013, and 2013. One good thing is that this vulnerability cannot be exploited automatically through email. For an attack to be successful, a user must open an attachment that is sent in an email message. Attackers generally find it fairly easy to get users to open attachments. Alternatively an attacker could host the file on a website and then try to get someone to download and open it from there. Which, again, isn’t usually all that difficult.
Elevation of Privilege in Hyper-V
Hyper-V is a native hypervisor that enables platform virtualization on x86-64 systems. If an attacker successfully passes a specially crafted function parameter in a hypercall from an existing, running virtual machine to the hypervisor, they could cause a denial of service or elevation of privileges. The security update addresses the vulnerability by ensuring that Hyper-V properly sanitizes user input.
Information Disclosure in Windows Ancillary Function Driver
The Windows Ancillary Function Driver is used by the WinSock networking stack to implement certain functionality. If an attacker logs on to an affected system as a local user and runs a specially crafted application on the system, they could obtain information from a higher-privileged account. About the only good thing about this vulnerability is that it only impacts 64-bit versions of the Windows OS including Windows XP, Server 2003, Vista, Server 2008, 7, Server 2008 R2, 8 and Server 2012. The security update addresses the vulnerability by correcting how Windows copies data from kernel memory to user memory.
Information Disclosure in Microsoft Outlook
This one is a little tricky and as such Microsoft does not expect exploit code to be written to take advantage of this anytime soon. Regardless users ought to install this patch. If an attacker can get a user to open or preview a specially crafted S/MIME email message, they could ascertain the IP address and open TCP ports of the target system and connected systems. That might not sound like a big deal unless you are the attacker who could use such information to launch additional attacks. This issue is present in Microsoft Outlook 2007, 2010, 2013 and 2013 RT.
Denial of Service in Digital Signatures
X.509 certificates help manage public keys through a Public Key Infrastructure (PKI). This vulnerability could allow denial of service when the X.509 certificate validation operation fails to properly handle a specially crafted X.509 certificate. There are no mitigations or workarounds available for this one so if you want to make sure you are protected you don’t have any choice but to install the patch.