Five of the advisories are rated critical, including one affecting Exchange and one affecting both SharePoint and Lync, not to mention the monthly critical patch for Internet Explorer. Microsoft has given a critical with priority 1 rating to the three of them, MS13-096 (GDI+), MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime). Those three advisories are my top patching priorities. Get the shared and exposed resources patched first.
Regarding MS13-099, this is an interesting vulnerability because it’s exploitable by VBA script and is not mitigated by EMET counter measures. Hence the high risk and priority ratings given by Microsoft. This issue is not yet publicly under exploit, but could be an early candidate to make the jump.
This round of patching addresses the GDI+ issue which was publicly disclosed in early November in Security Advisory 2896666 and then blogged about by the various researchers. We also see a Kernel Driver patch (MS13-101) but this round of patching does not include a fix for the publicly disclosed Kernel Elevation of Privilege issue reported in Security Advisory 2914486.
MS13-104, relating to Office and cloud services, has been seen exploited in the wild. This information disclosure issue affects the Office “client” and could allow an attacker to hijack an authentication token and gain access to documents stored in cloud resources.
MS13-105 includes four CVEs, one of which was previously addressed in MS13-067 (CVE-2013-1330), so it’s not clear if the MS13-067 patch was found to be incomplete or if this is a variant of that issue which did not merit a new CVE.
MS13-106 is a fix for an Address Space Layout Randomization (ASLR) avoidance issue. Essentially, this fixes an issue which, when used in conjunction with another attack, allowed the attacker to defeat the ASLR counter measure, which can be a compile time option or applied at runtime via EMET.
On top of the vulnerability issues, Microsoft has released 4 other advisories. One of which is an important issue for ASP.NET applications, which is not going out in a vulnerability advisory because it could break a lot of ASP.NET deployments but is a vulnerability in an authentication-related function call. .NET developers should pay attention to this. Also, Microsoft is revoking validation for “non-compliant” and “not supported” boot loaders. We shall see who complains.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.