November Patch Tuesday: Light on critical updates

Only three Critical updates are included in Microsoft’s November Patch Tuesday release. With the remaining five updates rated as Important, November is an average Patch Tuesday for Microsoft, covering 19 vulnerabilities in patches for Office and Internet Explorer.

The first Critical update, MS13-088, deals with 10 vulnerabilities in Microsoft’s Internet Explorer (IE). This update affects almost all of the desktop and server platforms for Windows, including both 32- and 64-bit versions. Only Windows 7 (Service Pack 1) and Server 2012 with IE Version 11 are not affected by this update. Unless these reported vulnerabilities are patched, an attacker could remotely execute code on a compromised machine, so this patch is a high priority and should be scheduled for rapid deployment within your organization.

The second Critical patch, MS13-089, also deals with a Remote Code Execution vulnerability in Windows. This patch applies to all the desktop and server platforms, but ─ most importantly ─ Windows Server Core is affected on both 32- and 64-bit platforms. The vulnerability resolved in this update relates to a sophisticated “phishing” style attack through specially crafted WordPad files. The issue relates to the WordPad converter (mswrd8.wpc), and a viable work-around could include restricting access to the converter file set until a patch is successfully deployed. Applying this patch also should be a high priority for most organizations.

The last Critical update, MS13-090, relates to an actively exploited AxtiveX vulnerability. ActiveX is a technology from Microsoft supporting a “plug-in” architecture that allowed developers to add functionality and features to Windows applications and Internet Explorer. Unfortunately, the AxtiveX technology was designed and developed before security became a “moral imperative” at Microsoft, and has been a source multiple serious vulnerabilities over the past several years. As if to drive home this point, MS13-090 directly replaces an update from October’s Patch Tuesday update. This is a patch now update and should be an immediate priority for any organization.

Of the remaining five Important updates, the first, MS13-091, resolves three privately reported vulnerabilities in Microsoft Office. These vulnerabilities could allow remote code execution if a specially crafted WordPerfect document file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The next, MS13-092, relates to a vulnerability in Microsoft Office that, with a specially crafted word document, may allow remote code execution by an attacker. One of the reasons this vulnerability is not rated as Critical is because, in the worst case scenario, the attacker will have only the same rights as the current user (reading or writing that Word document). So, if the user has employed a reduced rights scenario like Microsoft’s User Account Control, or does not have administrator privileges, the core security of the machine will not be compromised.

The next Important update, MS13-093, deals with an elevation of privilege attack and the potential for a denial-of-service attack in the Microsoft Hyper-V virtualization stack.  Another Microsoft Office-related update , MS13-094, relates to a potential Information Disclosure vulnerability in Microsoft Outlook. Information such as IP addresses and ports on that machine and other connected machines may be disclosed to a remote attacker unless this patch is applied. The final Important update for this November Patch Tuesday is MS13-095, which relates to Microsoft Windows digital signatures. Unless this patch is applied to a vulnerable machine, a specially crafted web service may result in a successful Denial of Service attack.

Copyright © 2013 IDG Communications, Inc.

Shop Tech Products at Amazon