Microsoft patches 19 flaws, including IE zero day

Today Microsoft issued 8 updates fixing vulnerabilities in Microsoft Windows, Internet Explorer and Office. Among them is on that has recently been reported as exploited in the wild.

The bulletins describing the updates:

• MS13-088: Cumulative Security Update for Internet Explorer (2888505) (Critical)

  10 vulnerabilities in Internet Explorer are fixed in this update. Eight are memory corruption vulnerabilities and two are information disclosure vulnerabilities.

• MS13-089: Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331) (Critical)

  Remote code execution could result from a user opening a specially-crafted Windows Write file in Wordpad.

• MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) (Critical)

  This is the zero-day vulnerability that was reported being exploited in the wild. It exists in the InformationCardSigninHelper Class ActiveX control. The update sets the kill bit for this control so that it can no longer be executed using Internet Explorer.

• MS13-091: Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093) (Important)

  Three vulnerabilities in Microsoft Office, one of which affects all versions of the product, are patched. All are rated Important.

• MS13-092: Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986) (Important)

  Hyper-V in Windows 8 x64-based (Pro and Enterprise editions only) and Windows Server 2012, including Server Core, are vulnerable to privilege escalation or denial of service.

• MS13-093: Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure (2875783) (Important)

  A user who could log on to the system locally could view, but not modify kernel memory.

• MS13-094: Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514) (Important)

  This vulnerability in Microsoft Outlook, which could allow at attacker to determine certain network parameters of the client system, has already been publicly disclosed. Microsoft says that successful exploit code for this vulnerability does not exist and is unlikely to appear.

• MS13-095: Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) (Important)

  All versions of Windows are vulnerable to denial of service (what we used to call a lockup or program crash) when reading a specially-crafted X.509 digital certificate.

As usual, there is a new version of the Windows Malicious Software Removal Tool. This version adds removal support for two new families of malware, W32/Napolar and Win32/Deminnix. There is also anUpdate for Root Certificates for Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP (KB931125).

Microsoft also released a large number of non-security updates:

• Update for Windows 7 and Windows Server 2008 R2 (KB2830477)—Install this update to resolve issues in Windows.
• Language Packs for Windows 8.1 and Windows RT 8.1 (KB2839636)—Malayalam, Luxembourgish, Central Kurdish, etc.
• Update for Windows 8, Windows RT, and Windows Server 2012 (KB2882780)—
• Update for Windows Small Business Server 2011 Essentials (KB2885313)—Install this update to resolve issues in Windows.
• Update for Windows Home Server 2011 (KB2885314)—Install this update to resolve issues in Windows.
• Update for Windows Storage Server 2008 R2 Essentials (KB2885315)—Install this update to resolve issues in Windows.
• Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2887595)—Install this update to resolve issues in Windows.
• Update for Windows 8, Windows RT, and Windows Server 2012 (KB2889784)—Install this update to resolve issues in Windows.
• Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2890140)—Install this update to resolve a set of known application compatibility issues with Windows.
• Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2890141)—Install this update to resolve a set of known application compatibility issues with Windows.
• Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2890142)—Install this update to resolve issues in Windows.
• Update for Windows 8, Windows RT, Windows Server 2012, Windows 7, and Windows Server 2008 R2 (KB2893519)—Install this update to resolve issues in Windows.
• Dynamic Update for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2 (KB2897942)—Install this update to resolve a set of known application compatibility issues with Windows.
• Dynamic Update for Windows Server 2012 R2 (KB2902816)—Install this update to resolve issues in Windows.
• Update for Windows RT 8.1 (KB2903601)—Install this update to resolve issues in Windows.
• Update for Windows 8.1 (KB2904594)—Install this update to resolve issues in Windows.
• Update for Windows RT 8.1 (KB2905029)—Install this update to resolve issues in Windows.