Microsoft releases five patches with one critical fix for Internet Explorer

Microsoft released five bulletins on its June Patch Tuesday, fixing one critical vulnerability in Internet Explorer.

The bulletins fix 23 vulnerabilities in Windows, Office and Internet Explorer, and Microsoft recommended focusing on MS13-047 and MS13-051 first, the critical issue and a remote code execution flaw in Office.

BeyondTrust CTO Marc Maiffret said: “MS13-047 addresses 19 vulnerabilities in Internet Explorer, including 18 generic memory corruption vulnerabilities and one memory corruption caused by a script debugging vulnerability. Four out of these 19 vulnerabilities (CVE-2013-3112,CVE-2013-3113, CVE-2013-3121, and CVE-2013-3142) affect every supported version of Internet Explorer, so attackers will be targeting these vulnerabilities prior to attempting to exploit any of the others.”

Ziv Mador, director of security research at Trustwave, said: “It is rare only having one bulletin in an entire release that contains more than one CVE. However, it is also unusual for one bulletin having at least 18 of them.

“Similar to last month, Internet Explorer is plagued with more critical vulnerabilities, which appear to be caused from memory corruption issues. Many of the CVEs appear to suffer from use-after-free vulnerabilities, which could allow arbitrary code to be executed and/or cause denial-of-service conditions. However, there are many CVEs in here that can result in remote code execution, which is definitely something to worry about especially when it affects a browser.”

Paul Henry, security and forensic analyst at Lumension, said: “Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system. An attacker could not get in without some user participation.”

Looking at bulletin MS13-051, Wolfgang Kandek, CTO of Qualys, said that this patch for Microsoft Office 2003 on Windows and 2011 for Mac OS X addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild.

“The attack arrives in an Office document and is triggered when the user opens the document. Microsoft rates it only as ‘important' because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward,” he said.

Mador said: “Microsoft Office 2003 SP3 and/or Microsoft for Mac 2011 users should pay particularly close attention to this vulnerability since an attacker could specially craft an Office document that could potentially allow remote code execution conditions. This includes a user viewing a specially crafted email message in Outlook. This vulnerability could especially be risky for those users who always login under an administrator privilege account since this exploit could be used for escalated privileges.”

The other fixes are: MS13-048 for an information disclosure vulnerability; MS13-049 for a denial-of-service problem in the TCP/IP stack of newer Windows systems (Vista+); and MS13-050 for a local privilege escalation vulnerability in Windows print spooler.

Kandek also pointed out that a fix was not issued for the vulnerability that a Google engineer recently published an exploit for on the full-disclosure mailing list.

He said: “The zero-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.”