Microsoft Patches 23 Vulnerabilities in Windows, IE, Exchange

Microsoft Patches 23 Vulnerabilities in Windows, IE, Exchange

تاریخ ایجاد

ID: IRCNE2013081921
Date: 2013-08-13

According to "zdnet", Microsoft released 8 security bulletins addressing 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange Server.
The first update is MS13-059, a cumulative update for Internet Explorer, and patches 11 separate vulnerabilities, 9 of which are rated critical on one or more platforms. The 9 critical vulnerabilities are all memory corruption vulnerabilities. The other 2 are only rated as Moderate severity on some platforms for privilege escalation or information disclosure.
MS13-060 (Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution) affects only Windows XP and Server 2003. "The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts."
MS13-061 describes 3 critical vulnerabilities in all currently-supported versions of Exchange Server. The actual vulnerability is in a set of Oracle libraries, called Outside In, which assist in document viewing for users of Outlook Web Access in a web browser. The update installs fixed versions of the Oracle libraries. These vulnerabilities have been publicly disclosed already, but Microsoft states that "Exploit code would be difficult to build".
MS13-062 is a single privilege escalation vulnerability which affects the RPC handling code in all versions of Windows and is rated Important.
MS13-063 describes 4 vulnerabilities, all rated Important, affecting most versions of Windows. One allows bypass of ASLR (Address Space Layout Randomization), a technique used by Windows to defeat many attacks. The other 3 are kernel corruption vulnerabilities which could allow elevation of privilege. These vulnerabilities have been publicly disclosed already.
MS13-064 is a single denial of service vulnerability in the Windows Server 2012 NAT Driver. A specially-crafted ICMP packet could cause the service to stop responding.
MS13-065 is a single denial of service vulnerability in the IPv6 stack in all versions of Windows except XP and Server 2003. This vulnerability is also triggered by a specially-crafted ICMP packet.
MS13-066 is an information disclosure vulnerability in the Active Directory Federation Services (AD FS) in all Intel-based versions of Windows Server other than Server Core.
Microsoft also released 3 non-security updates, as well as the monthly Malicious Software Removal Tool and an update to root certificates.
The first is an update to Windows 8 and RT 'to improve protection functionality in Windows Defender'. The second is for Windows 8, RT and Server 2012 'to resolve issues in Windows'. The third is for all current versions of Windows, also 'to resolve issues in Windows'.

Related Links:
Microsoft Set to Update IE for August Patch Tuesday

برچسب‌ها