We have a relatively light Update Tuesday this month: 8 bulletins covering 19 CVEs, 3 of which are marked critical. The most interesting vulnerability this month is actually in the non-critical ones: a vulnerability in Hyper-V (MS13-092). We’re also getting a fix for a 0-day vulnerability in ActiveX (MS13-090).
As always there’s the requisite critical IE bulletin (MS13-088), this time covering ten CVEs. The vulnerabilities span the range of IE releases from 6-11 and cover the usual suspects of use-after-free and information disclosure vulnerabilities.
The next critical bulletin (MS13-089) is for the Windows Graphical Device Interface (GDI), where a malicious embedded BMP can result in remote code execution (CVE-2013-3940). The likely attack vector for this vulnerability would be a WordPad file with the BMP embedded, which will cause a buffer overflow when opened.
MS13-090, the final critical bulletin, provides a fix for a 0-day vulnerability (CVE-2013-3918) that’s seeing limited exploitation in the wild. The vulnerability exists in the “InformationCardSigninHelper” ActiveX control, where an out of bounds access can occur on a deleted array, potentially allowing an attacker to execute arbitrary code. Microsoft has a short discussion on this vulnerability and a second information disclosure vulnerability in a blog post.
There are three vulnerabilities in Office (MS13-091), related to the handling of WordPerfect documents that can result in remote code execution when exploited. The vulnerabilities result in stack-based buffer overflows when Word tries to convert WordPerfect documents containing an invalid number of CSTYL elements.
The next bulletin (MS13-092) covers a vulnerability (CVE-2013-3898) in Hyper-V, Microsoft’s hypervisor. The vulnerability can result in an escalation of privilege because it can allow an attacker to run code from one virtual machine in the context of another. A failed attack can result in a denial of service.
An information disclosure vulnerability (CVE-2013-3887) exists in the Windows Ancillary Function Driver (MS13-093), where an attacker could use a guest account to run a malicious binary that would disclose information from other accounts.
Outlook (MS13-094) has an interesting information disclosure vulnerability (CVE-2013-3905), where an attacker can send a user an S/MIME email that will send back information on the internal network back to the attacker when the email is parsed by Outlook.
MS13-095 covers a single vulnerability (CVE-2013-3869) when parsing XML digital signatures in .NET. This occurs when passing in a malicious PFX file as X509 certificate, causing a denial of service.
We are releasing rules SID 28489-28492, 28494-28524 to address these issues.