May Patch Tuesday critical for users of Internet Explorer and web-based services

Filed Under: Adobe, Adobe Flash, Denial of Service, Featured, Internet Explorer, Microsoft, PDF, Vulnerability, Windows

patchtuesday170It is the second Tuesday of the month here on the West coast of North America and for once I am actually in town to do our monthly Patch Tuesday analysis.

33 separate CVEs (individual security related bugs) are fixed across ten patches affecting Internet Explorer, Windows, .NET, Lync, Publisher, Word, Visio and Windows Essentials.

The answer to everyone's question is "yes". Microsoft has released a fix for the IE 8 zero day vulnerable used in the US Department of Labor website compromise.

I had the opportunity to speak with the MSRC team in Redmond this morning and without a doubt the three most important updates are MS13-037, MS13-038 and MS13-039.

ie-170MS13-037 fixes eleven vulnerabilities in Internet Explorer.

Ten of these vulnerabilities could be exploited to allow remote code execution (RCE) and one could be exploited to disclose information that shouldn't be accessible.

This fixes the now two month old vulnerability (CVE-2013-2551) in IE 10 disclosed at this year's PWN2OWN competition at CanSecWest.

All of these vulnerabilities were privately disclosed, but for all we know the criminals might also be aware of how to exploit these flaws.

MS13-038 is the most anticipated as it fixes the zero-day flaw utilized in the attack on visitors to the US Department of Labor website. We know that our adversaries have knowledge of this flaw, so it is a very high priority for IE users.

It has been reported that this flaw only affects Internet Explorer 8, but that is only partly true. Some of the flawed code is also present in Internet Explorer 9, although Microsoft does not believe it can be exploited. It is certainly worth applying this fix anyhow, just in case the criminals have determined a way to exploit IE 9 users as well.

MS13-039 fixes a DoS (denial of service) vulnerability in the http.sys driver on Windows 8 and Windows Server 2012.

Any application that utilizes this Windows driver is vulnerable to DoS and this fix should be deployed as soon as possible on web application servers.

Adobe also released advisories today for ColdFusion, Flash Player and Reader/Acrobat.

adobe-170APSB13-13 fixes two vulnerabilities in ColdFusion, one is a RCE flaw and the other is an information disclosure vulnerability.

Adobe has reports of the information disclosure vulnerability being exploited in the wild, so users of ColdFusion should deploy this patch immediately.

APSB13-14 resolves 13 memory corruption vulnerabilities that could result in RCE in Adobe Flash Player. Adobe considers this a priority one patch for Windows, two for Mac OS X and three for other platforms.

As always the latest Flash Player is available from http://get.adobe.com/flashplayer.

Last, but not least, is APSB13-15 which resolves 27 vulnerabilities in Adobe Reader and Adobe Acrobat versions 9 through XI. Rather than detail them, let's just say you need to patch it right away.

The latest version of Reader can be downloaded directly from http://get.adobe.com/reader.

, , , , , , , ,

You might like

3 Responses to May Patch Tuesday critical for users of Internet Explorer and web-based services

  1. JimboC_Security · 441 days ago

    As always, thanks Chester for spreading awareness of these security updates in what so far appears to be a busy month for patches.

    The full offline installers for Adobe Flash (for Mac, Linux and Windows) can be obtained from the following link (which does not offer any other 3rd party software):

    http://www.adobe.com/products/flashplayer/distrib...

    I have installed all of the Microsoft and Adobe updates on my PCs and everything
    continues to work as expected.

    I hope this helps. Thank you.

  2. john · 440 days ago

    When i installed windows updates on my win8 PC, i lost my graphics drivers, they defaulted to MS basic graphics adapter, i tried many times and many different drivers to get them working again, including the correct drivers for my graphics card that MS provides in the OS that was installed before the update.

    • JimboC_Security · 439 days ago

      Hi John,

      I would suggest reverting to a recent System Restore point in order to have your graphics card drivers back.

      The following link explains how to use it:
      http://www.bleepingcomputer.com/tutorials/windows...

      I would then contact the manufacturer of your computer (especially if you are using a laptop) in order to find out how to obtain and install the correct graphics drivers for your computer. You should then be able to safely install all security updates for Windows 8 and not experience any further issues.

      The following update was made available for Windows 8 on the 14th of May, it specifically mentions resolving a similar issue:
      http://support.microsoft.com/kb/2836988

      “Resolves an issue in which a black screen is displayed for as long as several minutes when you update a graphics driver.”

      If I can provide any further advice, please let me know. I hope this helps. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.