Eight security updates, three of which are rated critical, were released for this Patch Tuesday to address 23 vulnerabilities in Exchange, Internet Explorer and Windows. Microsoft recommends deploying MS13-059 and MS13-060 first.
Critical security update MS13-059 closes 11 privately reported vulnerabilities in Internet Explorer 6 - 10. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights." It does require a restart.
MS13-060 is also rated critical to patch a vulnerability in the Unicode Scripts Processor included in Microsoft Windows. "The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."
If you use Microsoft Exchange Server, then you will also want to deploy the last critical patch, MS13-061, that addresses three vulnerabilities. Microsoft's summary states:
The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). The transcoding service in Exchange that is used for WebReady Document Viewing uses the credentials of the LocalService account. The Data Loss Prevention feature hosts code that could allow remote code execution in the security context of the Filtering Management service if a specially crafted message is received by the Exchange server. The Filtering Management service in Exchange uses the credentials of the LocalService account. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.
The remaining five "important" security updates resolve elevation of privilege, denial of service and information disclosure vulnerabilities.
Microsoft Security Response Center (MSRC) also mentioned BlueHat Challenges that launched two weeks ago. The challenges cover three tracks: reverse engineering, vulnerability discovery, and design-level web browser manipulation tricks. So far, over 720 people have participated; 10 people completed all levels of at least one challenge and 120 people completed at least one level. The challenge is still open and Microsoft encourages you "to test your security prowess." To participate, shoot an email to email@example.com with the subject line including which one, [reverse], [vulns], or [web]. If you complete a track, then you can get a custom Xbox avatar item.
While there is no money to be won, Microsoft intends to publicly recognize folks who finish the challenge. In fact, Microsoft said that if you enjoy the BlueHat Challenges, find them fun, then "you'd probably like working at Microsoft in the Trustworthy Computing group. We solve problems like this every day and we have lots of open positions. You can see a list of our available positions at http://www.twccareers.com, and we encourage you to submit an application!"
Like this? Here's more posts:
- Pro-privacy folks likened to digital al-Qaida; feds want to 'blind' hackers
- Black Hat: Smart TVs are the 'perfect target' for spying on you
- Just because you're paranoid doesn't mean THEY aren't out to get you
- Privacy & security nightmares: Hacking smart toilets, smart toys, smart homes
- Govt's $2.7 million KILL IT WITH FIRE approach to malware: Destroy all hardware
- Careful Windows Phone 8 users, connect to rogue Wi-Fi & hackers can steal passwords
- Black Hat snarky tweets as NSA Chief delivered 'Defending Freedom & Civil Liberties' keynote
- Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure
- Hijacking Office 365 and other major services via cookie re-use flaw
- Cross-platform virus spreading as Microsoft expands MAPP program
- Black Hat: It's not 'tricky' for hackers to turn your phone into a SpyPhone
- NSA spying on email content at super-fast speeds still violates Fourth Amendment
Follow me on Twitter @PrivacyFanatic