ID: IRCNE2013061873
Date: 2013-06-12
According to "computerworld", a new batch of security updates released by Microsoft on Tuesday address a total of 23 vulnerabilities in Internet Explorer, Windows and Microsoft Office, including one that is actively exploited by attackers. The handling of digital certificates in Windows was also improved.
Only the security bulletin for Internet Explorer, identified as MS13-047, is rated critical. This bulletin addresses 19 privately reported vulnerabilities that affect all Internet Explorer versions, from IE 6 to 10, and could allow remote attackers to execute code on computers with the privileges of the active user.
In order to exploit one of these vulnerabilities attackers need to set up a maliciously crafted Web page and trick users into visiting it. However, on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, Internet Explorer runs in a restricted mode called Enhanced Security Configuration that mitigates the vulnerability.
One of the vulnerabilities that Kandek is most concerned about affects Microsoft Office 2003 and Microsoft Office for Mac 2011 -- the most recent version of Office available for Mac OS X. This remote code execution flaw was addressed in the MS13-051 security bulletin, but is already being actively exploited in targeted attacks. Despite this, Microsoft only rated the security bulletin as important and not critical.
Even though later versions of Office for the Windows platform are not affected by this vulnerability, Office 2003 is still used by a lot of people, which makes this a serious vulnerability, Kandek said.
Another security bulletin released Tuesday, MS13-049, addresses a denial-of-service vulnerability in the Windows TCP/IP driver that affects all versions of Windows except for Windows XP and Windows Server 2003. An attacker could exploit this vulnerability by sending specially crafted packets to a targeted system which could cause it to stop responding.
"Network admins will want to carefully review and prioritize MS13-049, a network based denial of service bug," Storms said.
Another security bulletin, MS13-048, addresses a vulnerability in the Windows kernel that affects only 32-bit versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 8. In order to exploit this vulnerability an attacker would need to have access to the system in order to execute a specially crafted application or would need to trick a local user to execute it.
The last security bulletin, MS13-050, addresses a vulnerability in the Windows Print Spooler service that could allow an attacker authenticated as a local user to elevate his privilege when deleting a printer connection. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the system with system privileges, Microsoft said.
Microsoft also issued a separate update accompanied by a security advisory as part of its efforts to improve cryptography and digital certificate handling in Windows. This update improves the Certificate Trust List (CTL) functionality in Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012 and Windows RT.
Microsoft did not patch the zero-day vulnerability disclosed recently by Google security engineer Tavis Ormandy, Kandek said. That vulnerability is an elevation of privilege (EoP) one and cannot be used for remote code execution, but it could be used in a chained attack together with other vulnerabilities, so attackers might attempt to use it, he said.
Microsoft probably already has a patch for it, but it hasn't been tested enough so it will release it next month, Kandek said.
Related Links:
Microsoft to tackle under-attack Office bug next week
- 2