Tuesday, October 8, 2013

Microsoft Update Tuesday October 2013: Another IE 0-day release

This month's Microsoft Tuesday Update brings us 8 bulletins for a total of 26 CVEs. Four of these bulletins are marked as critical, while the rest are marked as important.

First, let's take a look at the 4 critical bulletins:

The most important update this month is a cumulative update for IE (MS13-080), which fixes 10 CVE issues, 2 of which have already been exploited by attackers. The first 0-day that's being fixed was widely reported and exploited (CVE-2013-3893). The second one (CVE-2013-3897) was also exploited on the web, but in a more targeted manner. We have a blog post concerning this vulnerability here.  Most of the issues fixed in this bulletin are the result of use-after-free vulnerabilities.

The second bulletin (MS13-081) covers Windows Kernel Mode Drivers. One particularly interesting vulnerability (CVE-2013-3200) this month is in the way that Windows parses USB descriptors, resulting in a vulnerability that could allow an attacker to gain code execution at system level by simply inserting a USB key in a machine.

The next bulletin (MS13-082) shares a CVE (CVE-2013-3128) with MS13-081 and is the result of an issue with handling OpenType fonts, which could allow an attacker to not only gain remote code execution by embedding a malicious font in a webpage, it can also result in system level code execution, because the vulnerability also exists in the way kernel mode drivers handle these fonts.

The final critical bulletin (MS13-083) is for the ComCtl32 library and is the result of an integer overflow (CVE-2013-3195) when calling the library function. This could allow an attacker to execute remote code by exploiting an application that calls this library function.

Now for the important bulletins:

MS13-084 which addresses SharePoint and MS13-085 which addresses Excel also share 1 CVE (CVE-2013-3889), where an attacker can gain remote code execution by passing in a malicious office document.

The bulletins each also have 1 vulnerability each that they do not share. The separate Excel vulnerability (CVE-2013-3890) is similar to CVE-2013-3889. The second SharePoint vulnerability (CVE-2013-3895) however is a reflective XSS. An attacker may be able to perform a XSS on POST data that is not filtered before it is returned to the user.

Word has a bulletin (MS13-086) that covers 2 CVEs. One of these (CVE-2013-3891) is particularly interesting because it's the result of a stack-based buffer overflow. The buffer overflow can be triggered by an attacker by specifying a large macro as part of a malicious Word document, potentially resulting in remote code execution.

Finally, the last bulletin (MS13-087) covers an information disclosure vulnerability (CVE-2013-3896) in Silverlight, where an attacker might be able to perform a buffer overread: reading past the bounds of an object. This information could then be used by an attacker to bypass ASLR when exploiting another vulnerability.

Rules SID 27943-27944, 28151, 28158-28163, 28191, 28202-28206 are being released to address these issues.

No comments:

Post a Comment