Microsoft Subnet An independent Microsoft community View more

August 2013 Patch Tuesday closed critical holes in Internet Explorer, Exchange, Windows

It's that time again and Microsoft released security updates to patch critical holes in Windows, Exchange and IE 6 - 10.

Eight security updates, three of which are rated critical, were released for this Patch Tuesday to address 23 vulnerabilities in Exchange, Internet Explorer and Windows. Microsoft recommends deploying MS13-059 and MS13-060 first.

Critical security update MS13-059 closes 11 privately reported vulnerabilities in Internet Explorer 6 - 10. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." It does require a restart.

MS13-060 is also rated critical to patch a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

If you use Microsoft Exchange Server, then you will also want to deploy the last critical patch, MS13-061, that addresses three vulnerabilities. Microsoft's summary states:

The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing uses the credentials of the LocalService account. The Data Loss Prevention feature hosts code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. The Filtering Management service in Exchange uses the credentials of the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.

The remaining five "important" security updates resolve elevation of privilege, denial of service and information disclosure vulnerabilities.

Microsoft Security Response Center (MSRC) also mentioned BlueHat Challenges that launched two weeks ago. The challenges cover three tracks: reverse engineering, vulnerability discovery, and design-level web browser manipulation tricks. So far, over 720 people have participated; 10 people completed all levels of at least one challenge and 120 people completed at least one level. The challenge is still open and Microsoft encourages you "to test your security prowess." To participate, shoot an email to bhchall@microsoft.com with the subject line including which one, [reverse], [vulns], or [web]. If you complete a track, then you can get a custom Xbox avatar item.

While there is no money to be won, Microsoft intends to publicly recognize folks who finish the challenge. In fact, Microsoft said that if you enjoy the BlueHat Challenges, find them fun, then "you'd probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at http://www.twccareers.com, and we encourage you to submit an application!"

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.