Microsoft releases five patches with one critical fix for Internet Explorer

Microsoft releases five patches with one critical fix for Internet Explorer

Microsoft released five bulletins on its June Patch Tuesday, fixing one critical vulnerability in Internet Explorer.

The bulletins fix 23 vulnerabilities in Windows, Office and Internet
Explorer, and Microsoft recommended focusing on MS13-047 and MS13-051
first, the critical issue and a remote code execution flaw in Office.
BeyondTrust CTO Marc Maiffret said: “MS13-047 addresses 19
vulnerabilities in Internet Explorer, including 18 generic memory
corruption vulnerabilities and one memory corruption caused by a script
debugging vulnerability. Four out of these 19 vulnerabilities
(CVE-2013-3112,CVE-2013-3113, CVE-2013-3121, and CVE-2013-3142) affect
every supported version of Internet Explorer, so attackers will be
targeting these vulnerabilities prior to attempting to exploit any of
the others.”
Ziv Mador, director of security research at Trustwave, said: “It is
rare only having one bulletin in an entire release that contains more
than one CVE. However, it is also unusual for one bulletin having at
least 18 of them.
“Similar to last month, Internet Explorer is plagued with more critical
vulnerabilities, which appear to be caused from memory corruption
issues. Many of the CVEs appear to suffer from use-after-free
vulnerabilities, which could allow arbitrary code to be executed and/or
cause denial-of-service conditions. However, there are many CVEs in here
that can result in remote code execution, which is definitely something
to worry about especially when it affects a browser.”
Paul Henry, security and forensic analyst at Lumension, said: “Though
this may be very concerning at first glance, the bulletin should not
cause undue alarm. In order for the vulnerability to be executed, an
attacker would have to craft a malicious site and use a phishing attack
to lure an unsuspecting user to the site, which would then compromise
the system. An attacker could not get in without some user
participation.”
Looking at bulletin MS13-051, Wolfgang Kandek, CTO of Qualys, said that
this patch for Microsoft Office 2003 on Windows and 2011 for Mac OS X
addresses a parsing vulnerability for the PNG graphic format that is
currently in limited use in the wild.
“The attack arrives in an Office document and is triggered when the
user opens the document. Microsoft rates it only as ‘important’ because
user interaction is required, but attackers have shown over and over
that getting a user to open a file is quite straightforward,” he said.
Mador said: “Microsoft Office 2003 SP3 and/or Microsoft for Mac 2011
users should pay particularly close attention to this vulnerability
since an attacker could specially craft an Office document that could
potentially allow remote code execution conditions. This includes a user
viewing a specially crafted email message in Outlook. This
vulnerability could especially be risky for those users who always login
under an administrator privilege account since this exploit could be
used for escalated privileges.”
The other fixes are: MS13-048 for an information disclosure
vulnerability; MS13-049 for a denial-of-service problem in the TCP/IP
stack of newer Windows systems (Vista+); and MS13-050 for a local
privilege escalation vulnerability in Windows print spooler.
Kandek also pointed out that a fix was not issued for the vulnerability
that a Google engineer recently published an exploit for on the
full-disclosure mailing list.
He said: “The zero-day vulnerability allows an attacker already on the
machine to gain admin privileges, and we can assume that the underground
is working to make that vulnerability part of their arsenal. The
vulnerability should be addressed next Patch Tuesday unless wider
exploitation in the wild is detected.”

Add a Comment