Microsoft

It's Microsoft Patch Tuesday: November 2013

Tony Bradley gathers the information you need to make the right deploy decision when applying Microsoft's November 2013 patches in your organization.

patch_tue.png
Microsoft released eight new security bulletins for the November Patch Tuesday, bringing the total for 2013 to 95 security bulletins so far. With only three Critical, and five Important security bulletins, it's a generally light month for IT admins.

The two highest priorities are MS13-088 - the Cumulative Update for Internet Explorer, and MS13-090 - a Cumulative Security Update for ActiveX Kill Bits, which addresses a zero-day vulnerability that is already being actively exploited in the wild. Aside from those two, the security bulletins this month are relatively tame, and IT admins should be able to enjoy the Thanksgiving break with some peace of mind.


This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.


This month's eight security bulletins address a total of 19 separate vulnerabilities spanning Internet Explorer, Microsoft Office, Hyper-V virtualization, the Graphics Device Interface (GDI), and more.

Security patches

3flags.png

MS13-088 / KB2888505 - Cumulative Security Update for Internet Explorer

More than half of the vulnerabilities this month are addressed with this one update. MS13-088 resolves ten separate vulnerabilities affecting all versions of Internet Explorer from IE6 to IE11. Two of the flaws could allow information disclosure, and the remaining eight are memory corruption issues that could be exploited to enable an attacker to execute malicious code remotely on the vulnerable system. There are no known exploits in the wild currently for these vulnerabilities, but an attacker could execute an exploit by crafting a malicious Web page and luring users to visit it.

Editor's note (11-15): According to sister-site ZDNet, not all of the vulnerabilities listed in MS13-088 were actually patched.

2flags.png
MS13-089 / KB2876331 - Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution

This security bulletin is rated as Critical by Microsoft because the flaw could allow an attacker to execute malicious code remotely on the target system, and the flaw impacts all supported versions of Windows from Windows XP to Windows 8.1. The severity, however, is tempered significantly by the fact that an attacker would have to create a malicious file, and somehow convince a user to open it using WordPad - an application that very few people actually use.

3flags2.png
MS13-090 / KB2900986 - Cumulative Security Update of ActiveX Kill Bits

MS13-090 is an urgent update for two reasons. First, a successful exploit of the vulnerability enables the attacker to execute malicious code on the compromised system. Second, this is a zero-day flaw that is already being actively exploited in the wild. A specially-crafted malicious Web page can be used to trigger the flawed ActiveX control and compromise the system. All desktop versions of Windows are affected, but the potential threat can be minimized by ensuring users don't operate with full administrator privileges.

2flags2.png
MS13-091 / KB2885093 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This security bulletin addresses three vulnerabilities in Microsoft Office - impacting Office 2003, 2007, 2010, and 2013. One of the three vulnerabilities spans all versions of Office, and will probably be the one attackers will focus their attention on. The security bulletin is only rated as Important by Microsoft, but because Microsoft Office is so pervasive, and a successful attack could lead to remote code execution, this patch should be a higher priority.

1flag.gif
MS13-092 / KB2893986 - Vulnerability in Hyper-V Could Allow Elevation of Privilege

The threat from MS130-092 is relatively limited. The vulnerability is specific to Windows 8 and Windows Server 2012 - Windows 8.1 and Windows Server 2012 R2 are unaffected. A successful attack could lead to an elevation of privilege, or to a denial of service by crashing the hypervisor, but the attacker would first need access to a guest virtual machine running within the Hyper-V host in order to pass a specially crafted hypercall to trigger the exploit.

1flag2.gif
MS13-093 / KB2875783 - Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure

This flaw poses very little risk. A memory disclosure vulnerability in the Windows ancillary function driver can lead to an elevation of privilege, and possible information disclosure. However, the attacker has to first be logged on to the vulnerable system with valid local credentials, and then execute a specially-crafted application to trigger the flaw. A remote attacker would first need to successfully exploit some other flaw to gain control of the target system before this flaw could be a threat.

1flag3.gif
MS13-094 / KB2894514 - Vulnerability in Microsoft Outlook Could Allow Information Disclosure

This is a publicly disclosed vulnerability that affects Outlook 2007, 2010, and 2013. If an attacker tricks a user into opening a specially-crafted malicious email message using an affected version of Outlook, it could lead to information disclosure. The attacker may be able to extract details such as IP address, open TCP ports, and other sensitive information.

1flag4.gif
MS13-095 / KB2868626 - Vulnerability in Digital Signatures Could Allow Denial of Service

MS13-095 also poses virtually no real risk in and of itself. A flaw in how Microsoft interprets digital signatures can be exploited with a specially-crafted X.509 certificate to crash the affected system and cause a denial of service condition.


Two previous patch day articles:

About

Tony Bradley is a principal analyst with Bradley Strategy Group. He is a respected authority on technology, and information security. He writes regularly for Forbes, and PCWorld, and contributes to a wide variety of online and print media outlets. He...

5 comments
iias
iias

I think one of these patch has broken my windows server 2003, I've got the blue screen of death since then! 

iprelorentzos
iprelorentzos

Cumulative Security Update for Internet Explorer (MS13-088 / KB2888505) does not apply to Windows 7 Service Pack 1 users (both 32 and 64-bit) if they have installed Internet Explorer 11.

carlsf
carlsf

I am begining to wonder about the Microsoft code writers and testers??? is there anyone testing the code before release.

Used to write code years ago 1980's Cobal and out testing procedure before release was harsh, we nott only tested it our selved but a selected number our our seniours and also a selected number of the users also tested in a closed enviorment.

And watch out if there were too many holes/failures.

It would seem with microfoft it is write no real testing then release and wait for the reports to come in, then fix on a ??? basis.

If Windows or Office was a car/applicance we would be able to get a refund/ working replacement at No charge/cost.

It would seem with Microsoft it pot luck if you dont get expolited and then it your cost/time to fix the problem.

Microsoft are truly becomming a company I dont want to purchase from or use products the produce.

BobBurke
BobBurke

No worries yet, eh? OK, I'm going to release soon en masse

rtroy56
rtroy56

@carlsf I was a programmer for 20 odd years starting in the late 1970's - mainly VAX COBOL and VAX BASIC, but also Basic Assembler and more.  When I learned COBOL and BAL I was taught the basics - bit by bit - no pun intended.  We learned the dangers of not understanding what you were working with.  For instance, how easy it was to write code that could overwrite itself - the way many viral items work.  It's too bad programmers at places like Microsloth don't understand programming that way, or have the dedication to carefully design and test their work.  MS is far more interested in coming up with making it's GUIs harder and harder to use then in actual testing and quality.