We have a relatively light Update Tuesday this month: 8
bulletins covering 19 CVEs, 3 of which are marked critical. The most
interesting vulnerability this month is actually in the non-critical ones: a
vulnerability in Hyper-V (MS13-092). We’re also getting a fix for a 0-day vulnerability
in ActiveX (MS13-090).
As always there’s the requisite critical IE bulletin
(MS13-088), this time covering ten CVEs. The vulnerabilities span the range of
IE releases from 6-11 and cover the usual suspects of use-after-free and
information disclosure vulnerabilities.
The next critical bulletin (MS13-089) is for the Windows Graphical
Device Interface (GDI), where a malicious embedded BMP can result in remote
code execution (CVE-2013-3940). The likely attack vector for this vulnerability
would be a WordPad file with the BMP embedded, which will cause a buffer
overflow when opened.
MS13-090, the final critical bulletin, provides a fix for a
0-day vulnerability (CVE-2013-3918) that’s seeing limited exploitation in the
wild. The vulnerability exists in the “InformationCardSigninHelper”
ActiveX control, where an out of bounds access can occur on a deleted array,
potentially allowing an attacker to execute arbitrary code. Microsoft has a short discussion on this vulnerability and a
second information disclosure vulnerability in a blog post.
There are three vulnerabilities in Office (MS13-091),
related to the handling of WordPerfect documents that can result in remote code
execution when exploited. The vulnerabilities result in stack-based buffer
overflows when Word tries to convert WordPerfect documents containing an
invalid number of CSTYL elements.
The next bulletin (MS13-092) covers a vulnerability (CVE-2013-3898) in Hyper-V, Microsoft’s hypervisor. The
vulnerability can result in an escalation of privilege because it can allow an
attacker to run code from one virtual machine in the context of another. A
failed attack can result in a denial of service.
An information disclosure vulnerability (CVE-2013-3887)
exists in the Windows Ancillary Function Driver (MS13-093), where an attacker
could use a guest account to run a malicious binary that would disclose
information from other accounts.
Outlook (MS13-094) has an interesting information disclosure
vulnerability (CVE-2013-3905), where an attacker can send a user an S/MIME email
that will send back information on the internal network back to the attacker
when the email is parsed by Outlook.
MS13-095 covers a single vulnerability (CVE-2013-3869) when
parsing XML digital signatures in .NET. This occurs when passing in a malicious PFX
file as X509 certificate, causing a denial of service.
We are releasing rules SID 28489-28492, 28494-28524 to
address these issues.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.