The November Patch Tuesday advisories are out, and across the board mixed feelings own the day. Relief and frustration must be present for Windows and Security administrators alike.
Relief because for the first time in a few months, this is a relatively straightforward Patch Tuesday, with fixes for most Windows versions, the ever-present IE roll up patch (MS13-088), and some Office components, but nothing esoteric or difficult to patch. No SharePoint plugins, no complicated .NET patching, no esoteric office extensions. Though we can’t forget the fun and games that GDI vulnerabilities tend to be for patching teams (MS13-089), this one appears simpler than most.
There is frustration because according to the MSRC blog, this round of patches does not include a fix for the recently published, exploited in the wild Office vulnerability described in “Microsoft Security Advisory 2896666”. However, there’s a “fix it” for that condition and the usual mitigations of deploying the EMET (see the advisory for details). While the story of this issue may be getting some mileage, the reality is it’s in very limited, targeted exploitation in a specific region AND it requires user interaction to exploit, so I would not worry about it too much. At risk and high value systems should have the mitigations in place already, and if not, I suggest you investigate EMET. If you fear that you are at risk of being targeted, apply the fixit.
Of this month’s advisories, the three critical are IE (MS13-088), GDI (MS13-089), and an ActiveX control issue relating to InformationCardSignInHelper (MS13-090 / CVE-2013-3918), most Windows versions are affected by all of these. All of these will be top patching priorities.
Exploit code for the ActiveX InformationCardSignInHelper vulnerability (MS13-090 / CVE-2013-3918) appeared on pastebin this morning. It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public. I would call patching this issue priority #1.
Beyond that, bulletins MS13-091 allows an attacker to gain remote access via tricking the user into opening a malicious WordPerfect file. Whereas MS13-092 enables an attacker to elevate privileges through virtual machine running under Hyper-V.
Also, worth mentioning, though probably lower priority, are MS13-094 and MS13-095, which are Information Disclosure and Denial of Service vulnerabilities respectively. MS13-094 allows the attacker to gain information about the local network topology via a specially crafted S/MIME attachment. MS13-095 relates to malicious X.509 certificates and could be used in some circumstances to DoS a web service.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.