We have seven bulletins from Microsoft this month, addressing a total of 34 vulnerabilities. Six of the bulletins are rated “critical” and allow for Remote Code Execution.
This is quite a high ratio compared to past months, and it is mostly due to the font parsing vulnerability, which is present in three of the seven bulletins. Overall, the focus is clearly on the workstation part of your infrastructure because most vulnerabilities are triggered by users browsing websites, viewing files and watching media.
Our recommendation is to start the patching process with MS13-053, a bulletin for Windows that applies to all versions of the OS. It includes a fix for two high value vulnerabilities: first, CVE-2013-3129, the previously mentioned problem with Windows font parsing. The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker.
The second high profile vulnerability is CVE-2013-3660, a local Windows 0-day, which got its start by a post from Tavis Ormandy on the “full disclosure” mailing list, and which soon after had several implementations published in underground forums and in security research tools such as Metasploit and Core Impact.
Next on our list is MS13-055, a bulletin for Internet Explorer (IE) that affects all current production versions, from IE 6 to IE10. It addresses 17 vulnerabilities, and several of them can be used to gain control over the attacked workstation through a malicious web page. Since several of the vulnerabilities have an exploitation index of “1,” indicating that the development of an exploit is well within the capabilities of attacks teams, it is worth addressing as quickly as possible.
Two of the remaining bulletins MS13-052 (.NET and Silverlight) and MS13-054 (GDI+) are results of the same font parsing vulnerability (CVE-2013-3129) affecting the font implementations in these software packages, which are separate from the Windows OS due to architectural reasons and increase the severity of these bulletins to “critical.” A single vulnerability appearing in several bulletins is not common but has happened before, for example in MS12-034 (Silverlight) and MS12-039 (Lync), which addressed both the font vulnerability CVE-2012-0159.
The remaining critical bulletins are MS13-057 (Windows Media), which is triggered by a malicious media file, and MS13-058 (DirectShow), which fixes a vulnerability CVE-2013- in the GIF graphics format. MS13-058 is lowest on our list, since there is no Microsoft product using the vulnerable GIF function. However, third-party applications are potentially affected.
Adobe is releasing new versions of three products addressing security flaws, Adobe Shockwave (APSB13-18), Coldfusion (APSB13-19) and Adobe Shockwave Flash player (APSB13-17). Users of Internet Explorer 10 (KB2755801) and Google Chrome already have updates integrated and do not need to worry about installing the new version themselves. Everybody else, including Mac OS X users, should apply this critical update as quickly as possible.
By the way, the pre-production Windows 8.1 and IE 11 are not affected by any of these bulletins. However, there are still vulnerabilities in these products, and Microsoft has started a bug bounty program while these programs are in beta under the BlueHat umbrella. The cash prizes are quite attractive (up to $100,000 USD), and the program seems to be working and has attracted several submissions already.
Lastly, keep in mind that the month is not over: Oracle will be releasing their quarterly update for all of their software (except Java) next week on Tuesday, July 19.
Author: Wolfgang Kandek, CTO, Qualys.