Microsoft Update Tuesday November 2013: HyperV vulnerability and fix for 0day

We have a relatively light Update Tuesday this month: 8 bulletins covering 19 CVEs, 3 of which are marked critical. The most interesting vulnerability this month is actually in the non-critical ones: a vulnerability in Hyper-V (MS13-092). We’re also getting a fix for a 0-day vulnerability in ActiveX (MS13-090).

As always there’s the requisite critical IE bulletin (MS13-088), this time covering ten CVEs. The vulnerabilities span the range of IE releases from 6-11 and cover the usual suspects of use-after-free and information disclosure vulnerabilities.

The next critical bulletin (MS13-089) is for the Windows Graphical Device Interface (GDI), where a malicious embedded BMP can result in remote code execution (CVE-2013-3940). The likely attack vector for this vulnerability would be a WordPad file with the BMP embedded, which will cause a buffer overflow when opened.

MS13-090, the final critical bulletin, provides a fix for a 0-day vulnerability (CVE-2013-3918) that’s seeing limited exploitation in the wild.  The vulnerability exists in the “InformationCardSigninHelper” ActiveX control, where an out of bounds access can occur on a deleted array, potentially allowing an attacker to execute arbitrary code. Microsoft has a short discussion on this vulnerability and a second information disclosure vulnerability in a blog post.

There are three vulnerabilities in Office (MS13-091), related to the handling of WordPerfect documents that can result in remote code execution when exploited. The vulnerabilities result in stack-based buffer overflows when Word tries to convert WordPerfect documents containing an invalid number of CSTYL elements.

The next bulletin (MS13-092) covers a vulnerability (CVE-2013-3898) in Hyper-V, Microsoft’s hypervisor. The vulnerability can result in an escalation of privilege because it can allow an attacker to run code from one virtual machine in the context of another. A failed attack can result in a denial of service.

An information disclosure vulnerability (CVE-2013-3887) exists in the Windows Ancillary Function Driver (MS13-093), where an attacker could use a guest account to run a malicious binary that would disclose information from other accounts.

Outlook (MS13-094) has an interesting information disclosure vulnerability (CVE-2013-3905), where an attacker can send a user an S/MIME email that will send back information on the internal network back to the attacker when the email is parsed by Outlook.

MS13-095 covers a single vulnerability (CVE-2013-3869) when parsing XML digital signatures in .NET.  This occurs when passing in a malicious PFX file as X509 certificate, causing a denial of service.

We are releasing rules SID 28489-28492, 28494-28524 to address these issues.