It's a pretty standard month for Update Tuesday this time around. There's a total of 8 bulletins, covering 23 CVE issues. This bulletin addresses the final 2 issues reported during CanSecWest's Pwn2Own.
As usual, there's the requisite IE bulletin (MS13-059), which covers 11 CVEs. This includes the 1 open IE Pwn2Own issue. The issues cover IE6-IE10 on all versions of Windows. All issues were privately reported to Microsoft, so they haven't been exploited in the wild yet. Several vulnerabilities are the result of a use-after-free, but there's also a stack-based buffer overflow when handling a specific font type (CVE-2013-3181).
This month we also have another font issue (MS13-060), this time in a Unicode font. The vulnerability is only present in XP SP3, XP Professional 64-bit and Windows Server 2003. It can be exploited by embedding a font in a document or a webpage.
There's also an update for Exchange (MS13-061), which is actually just a downstream Oracle Outside In update that Microsoft is applying. The issues were described in CVE-2013-2393, CVE-2012-3776 and CVE 2013-3781.
Bulletin MS13-062 covers an interesting vulnerability (CVE-2013-3175) in the handling of Remote Procedure Calls (RPC). The vulnerability can only be exploited post authentication though: an attacker needs an account and needs to log in before being able to exploit this vulnerability. As such, it's only a potential privilege escalation instead of remote compromise.
There are also a number of kernel vulnerabilities that are being fixed in bulletin MS13-063, affecting most supported Windows versions, including XP up to 8, and Server 2003 and 2008. This bulletin deals with 4 CVEs. Most vulnerabilities result in memory corruption that could allow an an escalation of privileges for the attacker (CVE-2013-3196, CVE-2013-3197, CVE-2013-3198). However, one of the issues being fixed is the final Pwn2Own issue that allowed VUPEN to bypass ASLR (CVE-2013-2556).
There are also 2 interesting denial of service vulnerabilities that are being addressed by MS13-064 and MS13-065. Both can result in a system crash and require a reboot when an attacker sends a maliciously crafted ICMP packet. The first vulnerability (CVE-2013-3182) occurs on servers with the Windows Nat Driver Service running (MS13-064). If the attacker sends a maliciously crafted ICMP packet that contains a truncated IPv6 header, this can cause read access violation, resulting in a system crash. The second vulnerability (CVE-2013-3183) is in the ICMPv6 implementation (MS13-065) and can also result in a system crash if an attacker send a maliciously crafted ICMPv6 Router Advertisement packet that contains an invalid prefix length field.
Finally MS13-066 deals with an information disclosure (CVE-2013-3185) in ADFS. The issue occurs when an attackers visits a specific URL associated with the ADFS service, resulting in a disclosure of account information.
We are releasing rules SID 27605-27616, 27618-27620 and 27624 to address these issues.