Microsoft has released a set of important as well as critical updates in its latest round of patches released this week. Experts from Tripwire have analysed the updates and offered the following comments:
Lamar Bailey, director of security research and development at Tripwire said: “Everyone was worried about the critical Exchange updates but they are not as bad as we feared. The Exchange patch incorporates some of the patches that Oracle released in July and August that affect Outlook Web Access. While exploitation of these is still fairly low, it’s still a critical update.
There are two ALSR bypasses this month; MS13-059 in IE and MS13-063 in the Windows kernel. Both of these came from the CanSecWest Pwn2Own competition this year and both updates should be applied as soon as possible.
Happy anniversary to Blaster -- Microsoft has another RPC vulnerability. The new bug is not nearly as bad as Blaster but the timing seems serendipitous. This RPC issue is a race condition and the attacker must be on the local box, but we may see exploits anyway if attackers can get through the pre-conditions that make this difficult to trigger.
Denial of service issues round out this month’s release and two of them are exploited with IPv6. Although they are only marked as ‘important’ this is something everyone should be aware of.”
Tripwire's security researcher Craig Young added: “Today’s release of MS13-061 to correct critical vulnerabilities in Exchange feels like déjà vu. Six months ago, Microsoft MS13-012 announced critical issues in OWA’s Oracle Outside In technology and six months before that MS12-058 told a similar story.
Microsoft advises that these issues can all be exploited to gain code execution on the server as LocalService with minimal privileges. Although this is certainly preferable to more privileged execution, it does give an attacker a foothold into the network and opens the possibility for admin access by exploiting local elevation of privilege bugs. MS13-061 should be high on the priorities for Exchange administrators because it can be exploited through SPAM campaigns as well as by an authorized user.”
Tyler Reguly, the company's technical manager of security research and development concluded: “As usual, Internet Explorer is the first patch everyone should install. However, instead of simply being the most likely source of attack, this month's update includes a patch for the the ASLR bypass from CanSecWest.
It's worth mentioning that in addition to the ASLR fix in MS13-059, Microsoft is fixing an additional ASLR bypass from CanSecWest with MS13-063. It's good to see that Microsoft is finally getting these bypasses cleaned up . Microsoft acknowledged the danger mitigation bypasses can introduce with their bug bounty program, now we just need to see them act quickly to resolve these issues
It's interesting to see three denial of service patches released this month. While it's unlikely that any of these will be considered critical updates, they do represent potential downtime for core services. Enterprises running the affected software may want to consider the cost of lost productivity and downtime when prioritizing these patches this month.”