Microsoft Patch Tuesday, November 2013

Most of us thought this would be an easymonth with only eight bulletins to deal with and only three listed as critical. Unfortunately, there is evidence of one vulnerability mentioned in those bulletins being activelyexploited in the wild and a second zero-day, which isn't even covered in this month's bulletins, being used by badguys.

What has become known as the TIFF zero-day detailed in SecurityAdvisory 2896666 was not patched this month. Microsoft releaseda Fix-It to help mitigate this actively exploited vulnerability. An actual patchfor it will be out as soon as it is ready and will probably be an out-of-band patch that willcome out well before December's Patch Tuesday.

The second zero-day was found just days ago, and it is also being actively exploited in the wild. However in this caseMicrosoft was able to include a full patch in this month's batch of bulletins.You can read about it as MS13-090 down below.

MS13-088 (KB288505)


Remote CodeExecution in Internet Explorer

CVE-2013-3871 CVE-2013-3871 CVE-2013-3908 CVE-2013-3910CVE-2013-3911

CVE-2013-3914 CVE-2013-3915 CVE-2013-3916 CVE-2013-3917

The patch is offered as a cumulative security update for InternetExplorer and fixes ten privately reported vulnerabilities--the most severe ofwhich could allow remote code execution if a user visits a specifically craftedwebpage. The update is critical for all currently supported versions ofInternet Explorer including Internet Explorer 8.1, 11 and RT Preview editions.The update fixes how Internet Explorer handles special characters in cascadingstyle sheets, print previews and objects in memory. While none of these issueshave yet been seen exploited in the wild, Microsoft does expect exploit codeto be produced rather soon.

MS13-089 (KB2876331)


Remote CodeExecution in Graphics Device Interface


You don't see vulnerabilities involving Word Padevery day and definitely not critical ones that can result in remote codeexecution. The problem lies with how the Graphics Device Interface handlesinteger calculations when processing image files. So if an attacker can get youto open a specially crafted Windows Write File in Word Pad they can run theirown code, which can lead to all sorts of nasty things. While an exploit using this vulnerability hasnot yet been seen in the wild, it shouldn't be too difficult to write one. So getthose patches applied as soon as you can.

MS13-090 (KB2900986)


Remote CodeExecution in Active X Kill Bits


This one is already being actively exploitedin the wild. It was first discovered by FireEye a few days ago. Do not confuse this patch for the Active X kill bits zero-day with the patch for the zero-day that impacts TIFF files. The patch for the TIFF file zero-day should be available soon.

Viewing a specially crafted webpage with Internet Explorer that instigates the InformationCardSigninHelperClass ActiveX control (icardie.dll) could execute arbitrary code remotely. Thispatch addresses the vulnerability by setting kill bits so that the vulnerablecontrol does not run in Internet Explorer.

MS13-091 (KB2885093)


Remote CodeExecution in Microsoft Office

CVE-2013-0082 CVE-2013-1324 CVE-2013-1325

Remember Word Perfect? Well, if a speciallycrafted Word Perfect file is opened in Microsoft Office it could result inremote code execution. This patch is available for Microsoft Office 2003, 2007,2010, 2013, and 2013. One good thing is that this vulnerability cannot beexploited automatically through email. For an attack to be successful, a usermust open an attachment that is sent in an email message. Attackers generallyfind it fairly easy to get users to open attachments. Alternatively an attackercould host the file on a website and then try to get someone to download andopen it from there. Which, again, isn't usually all that difficult.

MS13-092 (KB2893986)


Elevation ofPrivilege in Hyper-V


Hyper-V is a native hypervisor that enablesplatform virtualization on x86-64 systems. If an attacker successfully passes aspecially crafted function parameter in a hypercall from an existing, runningvirtual machine to the hypervisor, they could cause a denial of service or elevation of privileges. The security update addresses the vulnerability byensuring that Hyper-V properly sanitizes user input.

MS13-093 (KB2875783)


InformationDisclosure in Windows Ancillary Function Driver


The Windows Ancillary Function Driver is usedby the WinSock networking stack to implement certain functionality. If anattacker logs on to an affected system as a local user and runs a speciallycrafted application on the system, they could obtain information from ahigher-privileged account. About the only good thing about this vulnerabilityis that it only impacts 64-bit versions of the Windows OS including WindowsXP, Server 2003, Vista, Server 2008, 7, Server 2008 R2, 8 and Server 2012. Thesecurity update addresses the vulnerability by correcting how Windows copiesdata from kernel memory to user memory.

MS13-094 (KB2894514)


InformationDisclosure in Microsoft Outlook


This one is a little tricky and as suchMicrosoft does not expect exploit code to be written to take advantage of thisanytime soon. Regardless users ought to install this patch. If an attackercan get a user to open or preview a specially crafted S/MIME email message, they could ascertain the IP address and openTCP ports of the target system and connected systems. That might not sound likea big deal unless you are the attacker who could use such information to launch additional attacks. This issue is present in Microsoft Outlook2007, 2010, 2013 and 2013 RT.

MS13-095 (KB2868626)


Denial ofService in Digital Signatures


X.509 certificateshelp manage public keys through a Public Key Infrastructure (PKI). This vulnerabilitycould allow denial of service when the X.509 certificate validation operationfails to properly handle a specially crafted X.509 certificate. There are nomitigations or workarounds available for this one so if you want to make sureyou are protected you don't have any choice but to install the patch.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.