One more go around the block for 2013 and like the last, late tropical storm of the season, Microsoft is taking one last swipe and security and IT teams alike.
This Patch Tuesday features a solid 11 advisories affecting 6 different product types. All supported versions of Windows, Office, Sharepoint, Exchange, Lync and a mixed bag of developer tools are affected. 5 of the advisories are rated critical, including one affecting Exchange and one affecting Sharepoint and Lync, not to mention the monthly critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of those, MS13-096 (GDI ), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime). Those three are my top patching priorities. Get the shared and exposed resources patched first.
Regarding MS13-099, this is an interesting vulnerability because it's exploitable by VBA script and is not mitigated by EMET counter measures. Hence the high risk and priority ratings. This issue is not yet publicly under exploit, but could be an early candidate to make that jump.
This round of patching addresses the GDI issue that which was publicly disclosed in early November in Security Advisory 2896666 and blogged about by the various researchers. We also see a Kernel Driver patch (MS13-101) but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.
MS13-104, relating to Office and cloud services has been seen to be exploited in the wild. This information disclosure issue affects the Office “client” and could allow an attacker to hijack an authentication token and gain access to documents stored in cloud resources.
MS13-105 includes four CVEs, one of which was previously addressed in MS13-067 (CVE-2013-1330), so it's not clear if the MS13-067 patch was found to be incomplete or if this is some variant of that issue which did not merit a new CVE.
MS13-106 is a fix for an Address Space Layout Randomization (ASLR) avoidance issue. Essentially, this fixes an issue which, when used in conjunction with another attack, allowed the attacker to defeat the ASLR counter measure, which can be a compile time option or applied at runtime via EMET.
On top of the vulnerability issues, Microsoft has released 4 other advisories. One of which is an important issue for ASP.NET applications which is not going out in a vulnerability advisory because it could break a lot of ASP.NET deployments, but is a vulnerability in an authentication related function call. .NET developers should pay attention to this. Also, Microsoft is revoking validation fro “non-compliant” and “not supported” boot loaders, we shall see who complains.
It's going to be a busy month for all teams involved here, happy patching all.