Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+
 

October Patch Tuesday Roundup

on October 8, 2013

October Patch Tuesday

It’s that time again, and many network admins are probably approaching it with a little more anxiety than usual, considering the myriad problems that followed in the wakes of the August and September Patch Tuesdays.

This Patch Tuesday is a special one, as it marks the 10th anniversary of the program that began in October of 2003. Prior to that, security (and other) fixes were issued on a “just in time” basis, often with little or no warning. Admins could find themselves applying patches every few days. The predictability of a regular update cycle has made IT pros’ lives easier, and the information contained in the advance notification and the bulletins themselves simplifies the process of deciding what and when to patch.

October is a light month in comparison to September, bringing us eight security bulletins, with only four of those rated as critical. All told, 28 vulnerabilities are addressed by these fixes. Once again, we have updates for Office applications, and all supported versions of the Windows operating system are affected by one or more of the vulnerabilities. All but one of the eight vulnerabilities can be exploited to allow an attacker to run code remotely on the affected systems. The eighth can result in disclosure of private information.

The cumulative IE update would probably be considered the most important, as it addresses the zero day vulnerability for which an exploit was reported being used in Advanced Persistent Threat (APT) campaigns.

Let’s take a look at each of the updates individually, beginning with those rated critical. Unless otherwise indicated, the patches apply to both 32 and 64 bit operating systems. All except one of these patches may require a system restart after installation; the exception is MS-013-087. For more details about each update, see the applicable Microsoft® Security Bulletin (linked).

CRITICAL

MS13-080 (KB2879017) Affects supported versions of Internet Explorer (6, 7, 8, 9, 10 and 11) on all supported Windows operating systems (XP, Vista, Windows 7, Windows 8, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 on both 32 and 64 bit platforms) with the following exceptions: IE 11 running on Windows 7 (32 and 64 bit) Service Pack 1 or Server 2008 R2 Service Pack 1 and server core installations (which do not run IE).

The critical rating applies to IE running on client operating systems; when running on server operating systems, the severity rating is downgraded to moderate.

This cumulative update addresses ten vulnerabilities in Internet Explorer, the most serious of which could result in remote execution of code. A user would have to open a specially crafted malicious web page for the exploit to work. The update corrects the problem by changing the way IE handles objects in memory.

MS13-081 (KB2870008) Affects supported versions of Windows ((XP, Vista, Windows 7, Windows 8, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 on both 32 and 64 bit platforms) with the following exceptions: Windows 8.1, Windows RT 8.1 and Server 2012 R2 (including server core installation). Server core installations on pre-2012 R2 servers are vulnerable.

The critical rating applies to IE running on client operating systems; when running on server operating systems, the severity rating is downgraded to important.

 

This update addresses seven vulnerabilities in the kernel-mode drivers in Windows, the most serious of which could result in remote execution of code and the complete takeover of the system. The exploits requires that a user view a shared file containing embedded OpenType or TrueType fonts. The update corrects the problem by changing the way Windows handles this type of font file and the way Windows handles objects in memory.

MS13-082 (KB2878890) Affects the .NET Framework running on supported versions of Windows ((XP, Vista, Windows 7, Windows 8, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 on both 32 and 64 bit platforms) with the following exceptions: .NET Framework versions 1.0 SP3 and 1.1 SP1, Windows 8.1, Windows RT 8.1 and Server 2012 R2 (including server core installation). Server core installations on Server 2008 SP2 is also not affected. Server core installations on Server 2008 and 2012 (not the R2 editions) are affected.

The critical rating applies to IE running on client operating systems; when running on server operating systems, the severity rating is downgraded to important.

This update addresses a pair of vulnerabilities in the .NET Framework, the most serious of which could allow remote execution of code or result in a denial of service attack. The exploit works when a user visits a web site containing a malicious OpenType font file. Only certain web browsers are vulnerable.  The update corrects the problem by changing the way the .NET Framework handles OpenType fonts and XML digital signatures.

MS13-083 (KB2864058) Affects most supported versions of Windows ((XP X64, Vista, Windows 7, Windows 8, RT, Windows Server 2003, 2008, 2008 R2, 2012 and 2012 R2 on both 32 and 64 bit platforms) with the following exceptions: Windows XP SP3, Windows 8.1, Windows RT 8.1 and Server 2012 R2 (including server core installation). Server core installations on pre-2012 R2 servers are vulnerable.

The critical rating applies to all but the following operating systems, which are unrated: Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, Windows 7 32-bit SP2, Windows 8 32-bit, Windows RT, Windows Server 2008 32-bit SP2. Microsoft recommends that the update be applied to the unrated systems.

This update addresses one vulnerability in the Windows Common Control Library that could result in remote execution of code when an attacker sends a web request to an ASP.NET application that’s running on the system. The attacker does not have to be authenticated in order for this exploit to work. The update fixes the problem by changing the way the Common Control Library allocates memory.

IMPORTANT

MS13-084 (KB2885089) Affects SharePoint Server 2007 SP3, 2010 SP1 and SP2, and 2013. Affects Microsoft Office Web Apps 2010 SP1 and SP2. Does not affect SharePoint Portal Server 2003 SP3, SharePoint Services 2.0, SharePoint Foundation 2013, Microsoft Web Applications on SharePoint Server 2013 or Excel Web App on SharePoint Server 2013.

The important rating applies to all affected software.

This update addresses a pair of vulnerabilities in the SharePoint Server software, the most serious of which could remote in the remote execution of code. For the exploit to work, a user would have to open a specially crafted malicious Office file in SharePoint Server, Office Services or Office Web Apps. The update fixes the problem by correcting the way data is validated during parsing of Office files. It also changes the configuration of SharePoint pages.

MS13-085 (KB2885080) Affects supported versions of Microsoft Excel in Microsoft Office 2007, 2010, 2013, 2013 RT, Office for Mac 2011, as well as Excel Viewer and the Office Compatibility Pack SP3. Does not affect Excel 2003 SP3 or Office 2003 SP3.

The important rating applies to all affected software.

This update addresses a pair of vulnerabilities in Microsoft Excel, which could result in an attacker obtaining the user rights of the logged in user and this could lead to remote execution of code if the user account has this right. This exploit works when a user opens a specially crafted malicious Office file. The updates fixes the problem by changing how Excel validates data during the parsing of Office files.

MS13-086 (KB2885084) Affects supported versions of Microsoft Word in Microsoft Office 2003 SP3 and 2007 SP3, as well as the Office Compatibility Pack SP3. Office 2010, 2013, 2013 RT and Office for Mac 2011 are not affected, nor is the Word Viewer.

The important rating applies to all affected software.

This update addresses a pair of vulnerabilities like those described in MS-085 but this time in Microsoft Word, which could result in an attacker obtaining the user rights of the logged in user and this could lead to remote execution of code if the user account has this right. This exploit works when a user opens a specially crafted malicious Office file. The update fixes the problem by changing the way Word parses specially crafted files.

MS13-087 (KB2890788) Affects all versions of Microsoft Silverlight 5, including Silverlight 5 when installed on all supported versions of Microsoft client and server operating systems or on Mac systems. This includes the Silverlight 5 Developer Runtime.

The important rating applies to all affected software.

This update addresses one vulnerability in Microsoft’s Silverlight technology. To exploit this vulnerability, an attacker would need to host a web site that runs a specially crafted malicious Silverlight application, or put a malicious ad or other content that uses Silverlight onto someone else’s web site that allows the upload of content from users.  A user would have to visit the web site where the malicious content is host for his/her system to be affected. If this happens, the exploit could result in disclosure of information from the affected system. The update fixes the problem by changing how Silverlight checks memory pointers.

SUMMARY

Will there be problems and patch recalls again this month? Only time will tell. Check back here for news of any issues that emerge as the patches roll out on production networks. We will also be posting our summary of the most important third party patch releases for October at the end of the month, as well as any other news related to security updates or the updating process, so stay tuned to this blog.

About the Author:

Debra Littlejohn Shinder has been working and writing in the field of IT security since 1998. She’s an author of and contributor to over 25 books on computer technology, including “Scene of the Cybercrime,” based on her previous experience as a police officer and police academy instructor. Deb is owner and CEO of TACteam and has contracted with Microsoft, Intel, HP, Prowess Consulting, Sunbelt Software, GFI Software, ConfigureSoft, 2X Software and other software and hardware companies. She currently writes articles and blogs for Windowsecurity.com, WindowsNetworking.com and ISAserver.org and has published more than 1500 articles for web sites and print magazines. Deb has been a Microsoft MVP in the area of enterprise security for the past ten years.

 

 
  • TalkTechToMe
  • TalkTechToMe TV
  • GFI Patch Central - Patch updates made easy