33 separate CVEs (individual security related bugs) are fixed across ten patches affecting Internet Explorer, Windows, .NET, Lync, Publisher, Word, Visio and Windows Essentials.
Ten of these vulnerabilities could be exploited to allow remote code execution (RCE) and one could be exploited to disclose information that shouldn’t be accessible.
This fixes the now two month old vulnerability (CVE-2013-2551) in IE 10 disclosed at this year’s PWN2OWN competition at CanSecWest.
All of these vulnerabilities were privately disclosed, but for all we know the criminals might also be aware of how to exploit these flaws.
MS13-038 is the most anticipated as it fixes the zero-day flaw utilized in the attack on visitors to the US Department of Labor website. We know that our adversaries have knowledge of this flaw, so it is a very high priority for IE users.
It has been reported that this flaw only affects Internet Explorer 8, but that is only partly true. Some of the flawed code is also present in Internet Explorer 9, although Microsoft does not believe it can be exploited. It is certainly worth applying this fix anyhow, just in case the criminals have determined a way to exploit IE 9 users as well.
MS13-039 fixes a DoS (denial of service) vulnerability in the http.sys driver on Windows 8 and Windows Server 2012.
Any application that utilizes this Windows driver is vulnerable to DoS and this fix should be deployed as soon as possible on web application servers.
Adobe also released advisories today for ColdFusion, Flash Player and Reader/Acrobat.
Adobe has reports of the information disclosure vulnerability being exploited in the wild, so users of ColdFusion should deploy this patch immediately.
APSB13-14 resolves 13 memory corruption vulnerabilities that could result in RCE in Adobe Flash Player. Adobe considers this a priority one patch for Windows, two for Mac OS X and three for other platforms.
As always the latest Flash Player is available from http://get.adobe.com/flashplayer.
Last, but not least, is APSB13-15 which resolves 27 vulnerabilities in Adobe Reader and Adobe Acrobat versions 9 through XI. Rather than detail them, let’s just say you need to patch it right away.
The latest version of Reader can be downloaded directly from http://get.adobe.com/reader.