Microsoft Patches 23 Vulnerabilities in Windows, IE, Exchange

Microsoft Patches 23 Vulnerabilities in Windows, IE, Exchange

Summary: All versions of Windows and Internet Explorer are vulnerable to one or more critical flaw fixed today. A component of Exchange written by Oracle is also patched, and there are non-security updates as well.


Today Microsoft released 8 security bulletins addressing 23 vulnerabilities in Microsoft Windows, Internet Explorer and Exchange Server.

The first update is MS13-059, a cumulative update for Internet Explorer, and patches 11 separate vulnerabilities, 9 of which are rated critical on one or more platforms. The 9 critical vulnerabilities are all memory corruption vulnerabilities. The other 2 are only rated as Moderate severity on some platforms for privilege escalation or information disclosure.

MS13-060 (Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution) affects only Windows XP and Server 2003. "The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts."

MS13-061 describes 3 critical vulnerabilities in all currently-supported versions of Exchange Server. The actual vulnerability is in a set of Oracle libraries, called Outside In, which assist in document viewing for users of Outlook Web Access in a web browser. The update installs fixed versions of the Oracle libraries. These vulnerabilities have been publicly disclosed already, but Microsoft states that "Exploit code would be difficult to build".

MS13-062 is a single privilege escalation vulnerability which affects the RPC handling code in all versions of Windows and is rated Important.

MS13-063 describes 4 vulnerabilities, all rated Important, affecting most versions of Windows. One allows bypass of ASLR (Address Space Layout Randomization), a technique used by Windows to defeat many attacks. The other 3 are kernel corruption vulnerabilities which could allow elevation of privilege. These vulnerabilities have been publicly disclosed already. For reasons unclear to me, Microsoft does not provide an exploitability index number for the ASLR bypass vulnerability.

MS13-064 is a single denial of service vulnerability in the Windows Server 2012 NAT Driver. A specially-crafted ICMP packet could cause the service to stop responding.

MS13-065 is a single denial of service vulnerability in the IPv6 stack in all versions of Windows except XP and Server 2003. This vulnerability is also triggered by a specially-crafted ICMP packet.

MS13-066 is an information disclosure vulnerability in the Active Directory Federation Services (AD FS) in all Intel-based versions of Windows Server other than Server Core. According to Microsoft, "…the vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured. This would result in denial of service for all applications relying on the AD FS instance."

Microsoft also released 3 non-security updates, as well as the monthly Malicious Software Removal Tool and an update to root certificates.

The first is an update to Windows 8 and RT 'to improve protection functionality in Windows Defender'. The second is for Windows 8, RT and Server 2012 'to resolve issues in Windows'. The third is for all current versions of Windows, also 'to resolve issues in Windows'.

Brian Gorenc, Manager, manager of HP Security Research's Zero Day Initiative, added this this observation: 

In today's patch release, Microsoft continues to fix weaknesses demonstrated by researchers at HP's Pwn2Own competition earlier this year.
One of the issues Microsoft is patching (CVE-2013-2556) exists in the Windows Kernel which can be leveraged by attackers to bypass operating system mitigations like Address Space Layout Randomization (ASLR). This specific flaw occurs as a result of the predictable address of a data structure, which can be leveraged to leak memory addresses to an attacker.
Microsoft is also hardening Internet Explorer's sandbox by correcting the bypass vulnerability demonstrated by VUPEN Security at Pwn2Own.  This vulnerability can be utilized by attackers to execute code outside the sandbox.

Topics: Security, Windows, Microsoft Surface

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Were you out for a while?

    It's been a long time since I recall reading one of your articles. I've read three in the past few days. Were you gone?
    • gone, but not forgotten

      I haven't written for ZDNet for 10 years before this month. Until this past May I was running BYTE, which was shut down. :(
      Larry Seltzer
      • Welcome back.

      • Yes, welcome back

        I've enjoyed your posts so far.
        • enjoyable reading?

          simply a precis of what is already on the technet MC site and a cut and paste of someone else's comment at the end.
          I'm not surprised BYTE bit the dust if this is a sample of what was offered to their readers...
          The Central Scrutinizer
          • Then I expect we won't be seeing any more comments from you...

            ...related to his articles?
          • ye

            What's a ye?
          • It's an abbreviation for a nickname I was given long ago.

          • correct

            at least not until he produces something more original than just copy and paste from other sources...
            The Central Scrutinizer
  • Microsoft Patches 23 Vulnerabilities in Windows, IE, Exchange

    Now you know why the smart people use Linux.

    End Of Story
    Over and Out
    • I didn't know this about smart people

      Smart people prefer to install 20+ patches every day instead of just once a month?

      Huh, I learned something new today. Thanks Enough said.
      • Don't know about you , but I haven't had to install a patch

        in about 6 months.

        Never had to install a patch every day.

        Smart people prefer patches that work.

        Does exchange know how to reject mail when there is insufficient disk space yet? Or does it still crash?
        • So what you're saying is your version of Linux is bug free?

          • Nope.

            Just never had to patch every day. Not even had to patch every week or month.

            Now SOME patches are called for, and relatively quickly. But that doesn't happen every day.

            The last time I had a required patch was, ummm.... about 3 years ago.
        • If you haven't been installing patches on your distro

          You're quite behind.

          Not every day, mind, you, but it would be a good idea to patch your system. Whether it's something relating to the kernel or disco specific patches, there are patches.
          Michael Alan Goff
          • Of course.

            But just because something has been updated does mean I HAVE to update it. In some cases, it is something I don't use very often, and the update doesn't provide anything of benefit. Sometimes I just remove the software...

            Yes, I miss some added features... but again, unless I need the features, why update?

            In some cases, I don't LIKE the added features (or the loss of features that have been removed) - again, no need to update.

            Will I update? Eventually. Might use a different distribution.

            But nothing says I HAVE to update.

            Security issues? Yes, there are some... but they have already been mitigated by not allowing network connections, or by compartmentalizing the application, or by just disabling the "feature" if it doesn't affect normal usage.
          • And doing all those things

            Would pretty much secure any OS.
            Michael Alan Goff
        • update your OS

          you better don't need punish your OS to prove your point.
          • The OS doesn't care.

            So no one gets punished.

            It also means I can spend more time on other projects.
      • Enough said

        So far we know you have said enough, no more than enough. You apparently have an addiction for saying nothing and thinking it is enough. Actually most readers that actually would like to follow up with adult conversations, think that you have said more than enough.

        The problem I see is that with all you have said, you have said nothing the contributes in any meaningful way. Nor have you been able to break out of you pubescent ranting's long enough to actually say anything that has merit. So yes Enough said about nothing. Please refrain if you are so inclined in the future to try and act like a sound byte politician, you don't have enough talent to even hit that mark.

        Enough said period, end of story.