Microsoft patches critical IE vulnerabilities and actively exploited Office flaw

Patching the vulnerabilities in IE and Office should be a priority, security researchers said

A new batch of security updates released by Microsoft on Tuesday address a total of 23 vulnerabilities in Internet Explorer, Windows and Microsoft Office, including one that is actively exploited by attackers. The handling of digital certificates in Windows was also improved.

Only the security bulletin for Internet Explorer, identified as MS13-047, is rated critical. This bulletin addresses 19 privately reported vulnerabilities that affect all Internet Explorer versions, from IE 6 to 10, and could allow remote attackers to execute code on computers with the privileges of the active user.

In order to exploit one of these vulnerabilities attackers need to set up a maliciously crafted Web page and trick users into visiting it. However, on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012, Internet Explorer runs in a restricted mode called Enhanced Security Configuration that mitigates the vulnerability.

These Internet Explorer vulnerabilities might be a target for attackers who could try to reverse engineer the patches and build reliable exploits, said Wolfgang Kandek, the chief technology officer at security vendor Qualys.

According to a risk assessment table for the vulnerabilities that was published Tuesday on the Microsoft Research and Defense blog, Microsoft believes that its likely to see reliable exploits for the Internet Explorer vulnerabilities developed within next 30 days.

One of the vulnerabilities that Kandek is most concerned about affects Microsoft Office 2003 and Microsoft Office for Mac 2011 -- the most recent version of Office available for Mac OS X. This remote code execution flaw was addressed in the MS13-051 security bulletin, but is already being actively exploited in targeted attacks. Despite this, Microsoft only rated the security bulletin as important and not critical.

The vulnerability stems from an error in how Microsoft Office components process PNG files and can be exploited by tricking users to open specially crafted files or to preview specially crafted email messages with an affected version of Microsoft Office.

"The attacks we observed were extremely targeted in nature and were designed to avoid being investigated by security researchers," said Neil Sikka, a security engineer with the Microsoft Security Response Center, in a blog post Tuesday. "The malicious samples observed are Office documents (Office 2003 binary format) which do not include the malicious PNG file embedded directly in the document. Rather, the documents reference a malicious PNG file loaded from Internet and hosted on a remote server."

This vulnerability is a classic buffer overflow bug, said Andrew Storms, director of security operations at security vendor Tripwire, via email. "It's unfortunate that even the most recent version of the Mac Office product still contains such a well understood vulnerability. This probably should have been caught during Microsoft's development processes before release."

"It's disappointing to see that Mac users of Microsoft software get the short end of the stick when it comes to security," said Tyler Reguly, technical manager of security research at Tripwire, via email. "You have to wonder how a vulnerability that only affects Office 2003 is also in Office for Mac 2011. As a Mac user, I find this advisory very disconcerting."

Even though later versions of Office for the Windows platform are not affected by this vulnerability, Office 2003 is still used by a lot of people, which makes this a serious vulnerability, Kandek said.

Another security bulletin released Tuesday, MS13-049, addresses a denial-of-service vulnerability in the Windows TCP/IP driver that affects all versions of Windows except for Windows XP and Windows Server 2003. An attacker could exploit this vulnerability by sending specially crafted packets to a targeted system which could cause it to stop responding.

"Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter," Microsoft said in the security bulletin.

"Network admins will want to carefully review and prioritize MS13-049, a network based denial of service bug," Storms said. "Unfortunately, newer versions of Windows can be exploited by the bug via a remote attack surface -- diminishing the long-standing thought that newer software is more secure."

Another security bulletin, MS13-048, addresses a vulnerability in the Windows kernel that affects only 32-bit versions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7 and Windows 8. In order to exploit this vulnerability an attacker would need to have access to the system in order to execute a specially crafted application or would need to trick a local user to execute it.

"This vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system," Microsoft said in the security bulletin.

The last security bulletin, MS13-050, addresses a vulnerability in the Windows Print Spooler service that could allow an attacker authenticated as a local user to elevate his privilege when deleting a printer connection. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on the system with system privileges, Microsoft said.

Microsoft also issued a separate update accompanied by a security advisory as part of its efforts to improve cryptography and digital certificate handling in Windows. This update improves the Certificate Trust List (CTL) functionality in Windows Vista, Windows Server 2008, Windows 7, Windows 8, Windows Server 2012 and Windows RT.

The update allows administrators to configure domain-joined computers to use auto update without having access to the Windows Update site, configure domain-joined computers to independently opt in to auto update for both trusted and disallowed CTLs, as well as examine the set of roots in Microsoft root programs and to choose a subset of them for distribution via Group Policy, Microsoft said.

Microsoft did not patch the zero-day vulnerability disclosed recently by Google security engineer Tavis Ormandy, Kandek said. That vulnerability is an elevation of privilege (EoP) one and cannot be used for remote code execution, but it could be used in a chained attack together with other vulnerabilities, so attackers might attempt to use it, he said.

Microsoft probably already has a patch for it, but it hasn't been tested enough so it will release it next month, Kandek said. However, if the vulnerability starts to be widely exploited in the meantime, the company might release the patch sooner, he said.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityTripwirepatch managementExploits / vulnerabilitiesqualys

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?