Microsoft patches 23 bugs

Microsoft on Tuesday dispatched eight fixes for 23 vulnerabilities as part of its monthly patch update.

Three of the fixes, or bulletins, were deemed "critical" because they addressed bugs that all allowed remote code execution (RCE) after a user opened a malicious file or viewed an infected web page.

The highest-priority patch appears to be MS13-059, which resolves 11 vulnerabilities affecting Internet Explorer, from IE 6 running on Windows XP to IE 10 running on Windows 8 and RT tablets.

The bulletin patched “severe vulnerabilities” that could allow an attacker to obtain the same user rights as victims even they visit and infected web page.

Qualys chief technology officer Wolfgang Kandek said the fix should be installed as soon as possible.

“As usual with IE vulnerabilities, the attack vector would be a malicious web page, either exploited by the attacker or it could be sent to the victim in a spear phishing email," he said.

"Patch this immediately as the highest priority on your desktop system and wherever your users browse the web."

A second critical bulletin, MS13-060, fixed one privately reported flaw in Unicode Scripts Processor, a Windows service used to render Unicode-encoded text.  

If exploited, the bug could also allow a saboteur to remotely execute code after a user views a malicious document or web page using an application that supports embedded OpenType fonts.

The final critical fix, bulletin MS13-061, rectified three publicly disclosed bugs in Microsoft Exchange Server. The bugs actually lie in the way Exchange files are processed by Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats. Microsoft has dealt with similar issues in the past.

There are no reports the weaknesses have been exploited in the wild.

Microsoft also removed the predictable pointer used in an attack (LdrHotPatchRoutine) demonstrated at CanSecWest which could bypass Address Space Layout Randomisation and Data Execution Prevention. (pdf)

Microsoft addressed the bug in EMET 4.0 released in April and has squashed it with the release of MS13-063.

"The bypass described above relies on the fact that a pointer to LdrHotPatchRoutine can be found at a predictable location in memory. As such, one way to mitigate this bypass is to simply eliminate the predictable pointer to LdrHotPatchRoutine from SharedUserData," the Secure Windows Initiative Attack Team wrote.

"After installing this update on Windows 7 64-bit, we can see that not only has the pointer to LdrHotPatchRoutine been eliminated, but in fact all other image pointers have been eliminated as well."

Additional patches in the Microsoft update addressed bugs rated “important” that could allow attackers to carry out denial-of-service attacks and gain elevated rights privileges.

- With Darren Pauli.