Older Versions of Internet Explorer, Office, Silverlight become Ghastly, Ghoulish Treehouse of Horrors
Microsoft’s 2013 Treehouse of Horror Bulletins include a long list of fixes for memory corruption vulnerabilities effecting mostly previous versions of the software, and not the latest versions. Of immediate interest to most Windows users are the critical vulnerabilities being patched in Internet Explorer, multiple Windows drivers, and the .Net Framework which even effects the latest versions of Windows 8 and Windows Server 2012. Systems administrators at organizations also may pay immediate attention to the critical vulnerabilities in the Windows Common Control Library patched by MS13-083, which enables server side ASP.NET webapp exploitation on 64 bit systems. MS13-080 through MS13-087 include four Bulletins rated critical and four Bulletins rated Important addressing 26 vulnerabilities.
Much of the list of ghoulish October Bulletins appears to be similar to September’s list, but the news of note this month is that the Internet Explorer vulnerabilities CVE-2013-3893 and CVE-2013-3897 are being exploited as a part of targeted attacks. We have been monitoring the situation in Japan and southeastern asia, where attackers have been using exploits that succesfully pop Internet Explorer versions 8 and 9.
It’s somewhat surprising that the Office vulnerabilities effecting Office 2003 and 2007 are only being rated “important” this month being patched with MS13-084, MS13-085, and MS13-086, considering that Microsoft Excel and Word have been leading vectors of spearphishing attacks for the past year or so. The vulnerabilities enable remote code execution on systems where the user is duped into opening the attachment.
Interesting and unusual is this month’s Windows Common Control Library vulnerability effecting only x64 ASP.NET web applications. Attackers may send a pre-authentication web request to web applications attacking integer overflow vulnerability CVE-2013-3195 enabling remote code execution. System admins following best practices may end up with process running on their web servers with local user rights.
Full ghastly October Bulletin details on Microsoft’s site here. Microsoft’s Update software is a convenient and easy way to update your system software every month. If you are running Microsoft software, please go ahead and do so now.