Tuesday, June 11, 2013

Microsoft Update Tuesday, June 2013: mostly about Internet Explorer

Another month brings us another Update Tuesday. This month is pretty light with respect to the updates that Microsoft is releasing. They're releasing a total of 5 bulletins, covering 23 CVEs.

First and foremost are the critical updates for Internet Explorer (MS13-047). They are releasing updates for 19 CVEs, some of which could allow for remote code execution. These issues cover all supported IE versions, ranging from IE6 to IE10. Unlike last month, these issues do not seem to have been exploited in the wild and were all reported through Microsoft's "Coordinated Vulnerability Disclosure" program. While most issues are triggerable in default configurations of IE, one issue (CVE-2013-3126) requires the user to have enabled script debugging and can only exploited when this mode is active. This is interesting because the target audience running in this mode are probably web developers, potentially exposing them to increased threat of attack.

There's also an update for the Windows Kernel (MS13-048) that fixes an information disclosure vulnerability, covering all currently supported versions of Windows Desktops, ranging from XP to 8 as well as all Windows Server versions.

Another interesting update is to fix a vulnerability in a Windows Kernel Driver (MS13-049) which can result in a Denial Of Service attack. The Denial Of Service attack is possible only after first triggering protection against another potential Denial Of Service: a SYN flood. Once the system detects that a SYN flood is occurring it goes into "SYN Attack Protection" mode, which will reduce the timeout for the system to wait for ACKs. Once the system enters this mode, it is possible to trigger a Denial Of Service that requires a reboot to correct by sending a maliciously crafted packet.

An update is also being issued for a vulnerability in the Windows Print Spooler (MS13-050), that can allow an authenticated user to gain increased privileges.

Finally, the last update this month is for an issue in both Office 2003 and Office for Mac 2011 (MS13-051), that has been exploited in the wild. The vulnerability allows an attacker to gain remote code execution through a maliciously crafted file.

We have detection for many of these vulnerabilities through SIDs: 6700, 26843-26849, 26851-26853, 26867-26878, and 26882-26890.