November Patch Tuesday Roundup

The weather has taken a turn toward winter in many parts of the United States on this second Tuesday of November. Meanwhile, my friends in Australia are enjoying a sunny summer day. But no matter where you are, hot or cold or in between, IT admins are getting ready to roll out this month’s slate of Microsoft security updates, anxious to get a step ahead of attackers who are looking to exploit the vulnerabilities those patches address.

Many of us were expecting a larger number of bulletins this time, since Microsoft has a tendency to alternate light and heavy months. September brought us 14 bulletins and October only eight, but we’re getting just eight again for November. Does that mean we’ll all be spending our Christmas holidays applying a super-sized round of patches? Only time will tell.

What we do know is that we have only three patches this month that are rated critical, and as in the past couple months, the critical vulnerabilities are all remote code execution flaws. The rest of the updates, rated “important,” are comprised of the usual suspects: information disclosure and denial of service vulnerabilities.

Information disclosure attacks seem to be on the increase lately, but the name can mean different things. In some cases, such attacks are aimed at gathering personal information that might be stored on the computer or device (credit card or banking data, birth dates, full names and other info that could be used by identity thieves). In other cases, this refers to collecting of information about the systems and/or the network that an attacker can use to further penetrate the defenses, such as server names and internal IP addresses, software versions, whether/which systems are patched, and so forth. In either case, it is information that can be misused and that you don’t want unauthorized persons outside the organization to have.

Let’s take a look at each of the updates individually, beginning with those rated critical. Unless otherwise indicated, the patches apply to both 32 and 64 bit operating systems. All of these patches either do or may require a system restart after installation, which means a little added time for deployment. For more details about each update, see the applicable Microsoft Security Bulletin.

CRITICAL

MS13-088 (KB2888505) Affects supported versions of Internet Explorer (6, 7, 8, 9, 10 and 11) on all supported versions of Windows (XP, Vista, Windows 7, Window 8/8.1, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 with the following exceptions: IE 11 on Windows 7 for 32- and 64-bit systems with SP1 and Windows Server 2008 R2 for x64 systems SP1. This is not applicable to Server Core installations (which do not run IE).

The critical rating applies to IE on Windows client operating systems; when running on server operating systems, the severity rating is downgraded to Moderate.

This update addresses ten vulnerabilities in IE, including several that were privately reported by members of HP’s Zero Day Initiative and several privately reported by Bo Qu of Palo Alto Networks. The most serious vulnerabilities can be exploited to gain the same rights as the currently logged-on user and remotely execute code if a user is persuaded to view a malicious web page in IE. The update corrects the problem by changing the way IE handles CSS special characters, objects in memory, and the generation of print previews.

MS13-089 (KB2876331) Affects all supported versions of the Windows operating system: XP, Vista, Windows 7, Windows 8/8.1, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2, including Server Core installations. The critical rating applies to all versions of the operating system, both client and server.

This update addresses one vulnerability in the Windows Graphics Device Interface (GDI) that was privately reported by Hossein Lotfi at Secunia Research. An attacker can exploit the vulnerability to gain the same rights as the currently logged-on user and could remotely execute code if a user can be persuaded to view or open a specially constructed malicious Windows Write file in WordPad. The update corrects the problem by changing the way the GDI handles integer calculations during processing of image files.

MS13-090 (KB2900986) Affects all supported versions of the Windows operating system (XP, Vista, Windows 7, Windows 8/8.1, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2), with the exception of Server Core installations. The critical rating applies to all client operating systems; when running on server operating systems, the severity rating is downgraded to moderate, except for Server Core installations, which are not affected.

This update addresses one vulnerability in an ActiveX control that was privately reported by personnel at Cyber Defense Institute, iSIGHT Partners, and FireEye. An attacker can exploit the vulnerability to remotely execute code if a user is persuaded to view a specially constructed malicious web page in IE that uses the InformationCardSigninHelper Class ActiveX control. The update corrects the problem by setting the ActiveX kill bits to prevent the vulnerable control from running in IE.

IMPORTANT

MS13-091 (KB2885093) Affects supported versions of Microsoft Office (2003, 2007, 2010, and 2013) with the following exceptions: Microsoft Office Compatibility Pack SP3 and Microsoft Office for Mac 2011. The severity rating is important for all rated versions of Office.

The update addresses three different vulnerabilities in the Word Stack Buffer (overwrite vulnerability) and the WPD file format (memory corruption vulnerability) that were privately reported by Will Dormann of CERT/CC and Merliton. An attacker could exploit these vulnerabilities to remotely execute code with the same user rights as the currently logged-on user if the user can be persuaded to open a specially constructed malicious WordPerfect file in an affected version of Microsoft Office. The update corrects the problem by correcting the way Office parses such files.

MS13-092 (KB2893986) Affects Windows 8 x64 (Pro and Enterprise) and Windows Server 2012 (Standard and Datacenter editions, Hyper-V Server), including Server Core installation. Does not affect Windows XP, Vista, Windows 7, Windows 8/8.1 32-bit, RT, Server 2003, 2008, 2008 R2, or 2012 R2. The severity rating is important for the affected versions of Windows.

This update addresses one address corruption vulnerability in Hyper-V that was privately reported by Christian Weyer. An attacker could exploit this vulnerability to obtain an elevation of privileges and/or create a denial of service (DoS) attack against the Hyper-V host, by passing a specially constructed function parameter in a hypercall (communication between the virtual machine and the hypervisor). The update corrects the problem by changing the way Hyper-V handles input from users.

MS13-093 (KB2875783) Affects supported versions of XP Pro x64, Vista x64, Windows 7 x64, Windows 8 x64, Server 2003, 2008 and 2008 R2 for x64 and Itanium-based systems, and Windows Server 2012. This includes server core installations of the affected server operating systems.  Windows client and server 32-bit (x86) operating systems are not affected, nor is Windows 8.1 for x64. No versions of RT are affected. The severity rating is important for all affected systems, both client and server.

This update addresses one vulnerability in the Windows Ancillary Function Driver that was privately reported. An attacker can exploit this vulnerability to obtain disclosure of information, but only if the attacker is able to log onto the affected system as a local user and run a specially constructed application on the system.  In other words, the attacker would have to somehow obtain valid logon credentials and have physical access to the machine. The update corrects the problem by changing the way Windows copies data from kernel memory to user memory.

MS13-094 (KB2894514) Affects supported versions of Outlook in Microsoft Office 2007, 2010, 2013 and 2013 RT. Does not affect Outlook 2003 SP3. Severity rating is important for all affected versions of Outlook.

This update addresses a vulnerability in Outlook that was disclosed publicly by Alexander Klink. An attacker can exploit this vulnerability to obtain disclosure of information about the system (IP addresses, open TCP ports, etc.) that could be used in a further attack, by persuading a user to open or preview a specially constructed malicious email message in Outlook. The update corrects the problem by changing the way Outlook parses S/MIME messages.

MS13-095 (KB2868626) Affects all supported versions of the Windows operating system (XP, Vista, Windows 7, Windows 8/8.1, RT, Server 2003, 2008, 2008 R2, 2012, 2012 R2, including server core installations). The severity rating is important for all affected systems, both client and server.

This update addresses one vulnerability in the handling of digital signatures by Windows that was privately reported by James Forshaw of Context Information Security. An attacker can exploit this vulnerability to create a denial of service (DoS) if the web service processes a specially constructed x.509 certificate used for digital signing. The update corrects the problem by changing how such certificates are handled by Windows.

SUMMARY

This month’s eight security updates address a total of 19 vulnerabilities, with 10 of those being in Internet Explorer. Most of these exploits require that a user take some action or that the attacker have local access, or other conditions that would not normally exist if best security practices are in place. Nonetheless, it is essential to patch these vulnerabilities as soon as possible, after normal testing has taken place, as several of these vulnerabilities affect a broad scope of Windows operating systems or Office software that are in common use in most business environments.

Like our posts? Subscribe to our RSS feed and be the first to get them!