Microsoft Subnet An independent Microsoft community View more

Microsoft finally patches gaping IE exploit with Patch Tuesday update

It's that time again, so happy patching!

For the last decade, admins have awaited Microsoft Patch Tuesday with dread - or perhaps delight, but that seems highly doubtful. There's no time to delay when it comes to patching this month, however, as Microsoft finally closed the gaping zero-day hole in IE that is being actively exploited in the wild by cyber crooks, nation-state hackers and pen testers. MS13-080 is a cumulative patch, obviously rated critical, that resolves 10 security issues in Internet Explorer. When it comes to deployment priority, this is number one.

RELATED: Reflecting on 10 years of Microsoft's Patch Tuesday

In total, Microsoft's eight bulletins address 26 unique common vulnerabilities and exposures (CVEs). Other Remote Code Execution (RCE) holes being closed, besides the gaping one in Internet Explorer, affect Microsoft Windows, .Net Framework, Office, and SharePoint.

MS13-081, which resolves seven issues in Windows, is also rated as critical with a "1" for deployment priority and a "1" on the exploitability index. The summary states, "The most severe vulnerability could allow remote code execution if a user views a malicious webpage with specially crafted OpenType fonts. This release also addresses vulnerabilities that could allow elevation of privilege if an attacker gains access to a system, in some cases physical access to a USB port is required."

MS13-083 is rated critical for all supported 64-bit editions of Microsoft Windows and should be among the first deployed. It fixes one RCE issue in Windows "if an affected system is accessible via an ASP.NET web application and can receive a specifically crafted request." It ranks as a "1" on the exploitability index. However, Microsoft reports, "This security update has no severity rating for Windows RT and for all supported 32-bit editions of Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows 8."

MS13-082 is rated critical with a deployment priority of "2" and an exploitability index of "2." It resolves two privately reported vulnerabilities and one publicly reported vulnerability in the Microsoft .NET Framework. If left unpatched, the flaws could allow remote code execution or denial of service.

Next up with a deployment priority and an exploitability index of "2" is MS13-085. It is rated as important and resolves two privately reported vulnerabilities in Microsoft Office. More specifically, the security update corrects how Excel, and other affected Microsoft software (Microsoft Office 2007, Microsoft Office 2010, Microsoft Office 2013, Microsoft Office 2013 RT, and Microsoft Office for Mac 2011) "validates data when parsing specially crafted Office files."

Lastly for deployment priority "2" is MS13-086 to patch Word. It is rated as important, ranked as "2" on the exploitability index and addresses two privately reported RCE vulnerabilities in Office.

MS13-084 is rated important for SharePoint. "The most severe vulnerability could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps."

Like the patch for SharePoint, the patch for Silverlight (MS13-087) is rated important, with a deployment priority of "3." It is the only update that involves an information disclosure flaw, instead of a remote code execution vulnerability.

Not that patch, after a decade of Patch Tuesday
Oddly, even after ten years, the word "patch" is still unassociated with Microsoft, at least according to Google.

P.S. Adobe, of the infamous compromise potentially affecting nearly three million people, issued a patch for Acrobat and Adobe Reader and another for RoboHelp. So you might choose to add those to the pile of patches issued today.

BlackBerry also released a security advisory regarding a RCE vulnerability "that is not currently being exploited, but affects the BlackBerry Universal Device Service installed by default with BlackBerry Enterprise Service 10."

Happy patching!

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Editors' Picks
Join the discussion
Be the first to comment on this article. Our Commenting Policies