Microsoft IE zero-days top November’s security priorities

Microsoft has published eight security bulletins for the November 2013 Patch Tuesday monthly security update, addressing 19 vulnerabilities

Microsoft has published eight security bulletins for the November 2013 Patch Tuesday monthly security update, addressing 19 vulnerabilities.

At the top of the priority list of patches and workarounds are the two open zero-day vulnerabilities, according to Wolfgang Kandek, chief technology officer at Qualys.

First, the Internet Explorer zero-day discovered by FireEye last week can be addressed with a patch (MS13-090).

The patch implements a simple killbit setting that disables the affected ActiveX control “Information Card Signin Helper”.

The vulnerability could be exploited by a malicious webpage configured for a drive-by-download attack.

Second, the TIFF graphic format vulnerability in the GDI+ library, also disclosed last week, can be addressed with a workaround in the absence of a patch.

Kandek said the easy-to-implement workaround involves a registry setting that disables the rendering of TIFF files, which is detailed in security advisory KB2896666.

Marc Maiffret, chief technology officer at BeyondTrust, said that while the most recent versions of Windows and Office are unaffected, Vista, Server 2008, and Office 2003 to 2010 are affected.

“It is therefore very important to get the Fix it rolled out as soon as possible to help protect vulnerable systems,” he said.

The remaining bulletins cover “normal” vulnerabilities that were disclosed in a co-ordinated fashion to Microsoft.

Kandek said the highest priority goes to MS13-088, the Internet Explorer bulletin, which fixes 10 vulnerabilities.

More about zero day vulnerabilities and exploits

The bulletin is rated “critical” and covers all versions of Internet Explorer, from 6 to 11. The vulnerabilities addressed could be abused to gain Remote Code Execution (RCE), all by browsing a malicious website.

The next two bulletins both address file format vulnerabilities that allow for RCE when opening a specifically crafted malicious file.

MS13-089 for the Windows GDI (graphics device interface) library fixes a vulnerability in the BMP/WMF conversion, which can be attacked through a malicious .WRI file in Wordpad.

To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad, said Maiffret.

“So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, because it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible,” he said.

MS13-091 for Microsoft Word addresses vulnerabilies in Word and the WordPerfect converter parser.

The remaining vulnerabilities are all less critical, rated “important” and can be addressed in a company’s normal patch schedule, said Kandek.

However, he said a vulnerability in Microsoft virtualisation product Hyper-V (MS13-092) stands out because it can be used for denial of service (DoS) attacks against the Hyper-V host, and under certain circumstances, can allow for code execution in another Hyper-V guest machine.

To exploit this vulnerability, an attacker would need to gain access to a guest virtual machine within a Hyper-V host, said Maiffret. From there, they would need to execute a malicious program, which would either 1) crash the host system, thereby denying service to any users or systems utilizing any guests on the host or 2) execute code on another guest running on the affected host machine.

“The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts,” he said.

MS13-094 fixes a S/MIME e-mail flaw in Outlook that allows the attacker to perform a port scan on the internal network. “Such an attack is very clever, but most likely it is too complicated to be useful,” said Kandek.

MS13-093 fixes a driver issue in AFD.sys that leaks information on memory locations, which is useful in conjunction with other more severe vulnerabilities, he said.

Finally, MS13-095 addresses a DoS condition that can be caused by the excessive nesting of X.509 certificates.

Microsoft also updated KB2755801, which Kandek said indicates that it is delivering a new version of Adobe’s Flash player with Internet Explorer 10 (IE10).

“IE10 and Google Chrome both take responsibility for updating the Adobe Flash plugin. Users of other browsers can get information on the update which addresses two critical vulnerabilities here at the Adobe site ABSB13-026,” he said.

Adobe also released an update for ColdFusion, fixing one vulnerability.

Overall, Kandek rates November’s security update as “a medium-sized” Patch Tuesday, but he said system administrators should pay special attention to the two zero-days and the Internet Explorer update.

“Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets,” he said.

Read more on Hackers and cybercrime prevention