The vulnerabilities in IE, .Net framework and Windows Kernel-Mode Drivers, were listed as the most serious, categorised as critical. The IE vulnerabilities were disclosed by Microsoft last month after it released a broken patch for them, which was subsequently pulled.
The news was troubling as it meant hackers had been alerted to vulnerabilities before Microsoft had a chance to fully fix them, leaving businesses with a temporary "Fix It" workaround. Trustwave director of security research Ziv Mador said the lack of a true fix was dangerous as the vulnerabilities could be exploited by hackers to mount a remote code execution attack.
"This is the biggie that everyone has been worried about, that was first announced last month and for which Microsoft issued a Fix It," he said.
"The good thing is that if you already applied the Fix It, you do not need to undo the changes before applying this update. The issue with all 10 of these vulnerabilities has to do with how IE handles objects in memory; if items in memory get corrupted in a certain way an attacker could cause that corruption to execute arbitrary code."
The bulletin issued a similar advisory for the .Net framework and Windows Kernel-Mode Drivers vulnerabilities. Ross Barrett, Rapid 7 senior manager of security engineering, warned that if left unpatched the vulnerabilities could theoretically be exploited by hackers for a variety of purposes.
"MS13-081 (vulnerabilities in Windows Kernel-Mode Drivers) addresses an exploit path (CVE-2013-3128), which would give an attacker kernel-level access on a system that attempts to render a page containing a malicious OpenType font," he said.
"Technically one of the CVEs in MS13-082 (vulnerabilities in .Net framework) addresses a variant of the same issue, which Microsoft found by auditing the reuse of that code. In this case the variant would only give user-level access to that attacker. At this time this issue is not known to be under active exploitation."
Barrett added that the vulnerability in the Windows Common Control Library was particularly interesting, as it could theoretically be targeted by a self-spreading worm attack.
"MS13-083 looks like a really fun one – a remote, server-side vulnerability offering remote code execution that is hittable through ASP.net webpages. This is a genuine article; a real, honest to goodness, potentially ‘wormable' condition," he said.
"If the bad guys figure out a way to automate the exploitation of this, it could spread rapidly and the defence in depth measures of your organisation will be tested. However, this vulnerability was privately reported to Microsoft and is not known to be under active exploitation."
Important patches for vulnerabilities in Microsoft Word, Excel and Windows Common Control Library were also released. Microsoft downplayed the significance of the Word and Excel patches, confirming that an attack would only have real significance if it managed to infect a machine with high-level administrative rights.
"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," read the bulletin.
Persuading businesses to install patches more regularly has been an ongoing problem facing the security community.
Most recently the dilemma was showcased by the fact numerous firms are still running the outdated Windows XP operating system. The news is troubling as in less than six months Microsoft will officially cease support for the OS, meaning new security vulnerabilities will no longer be patched.
No comments:
Post a Comment