May Patch Tuesday critical for users of Internet Explorer and web-based services

patchtuesday170It is the second Tuesday of the month here on the West coast of North America and for once I am actually in town to do our monthly Patch Tuesday analysis.

33 separate CVEs (individual security related bugs) are fixed across ten patches affecting Internet Explorer, Windows, .NET, Lync, Publisher, Word, Visio and Windows Essentials.

The answer to everyone’s question is “yes”. Microsoft has released a fix for the IE 8 zero day vulnerable used in the US Department of Labor website compromise.

I had the opportunity to speak with the MSRC team in Redmond this morning and without a doubt the three most important updates are MS13-037, MS13-038 and MS13-039.

ie-170MS13-037 fixes eleven vulnerabilities in Internet Explorer.

Ten of these vulnerabilities could be exploited to allow remote code execution (RCE) and one could be exploited to disclose information that shouldn’t be accessible.

This fixes the now two month old vulnerability (CVE-2013-2551) in IE 10 disclosed at this year’s PWN2OWN competition at CanSecWest.

All of these vulnerabilities were privately disclosed, but for all we know the criminals might also be aware of how to exploit these flaws.

MS13-038 is the most anticipated as it fixes the zero-day flaw utilized in the attack on visitors to the US Department of Labor website. We know that our adversaries have knowledge of this flaw, so it is a very high priority for IE users.

It has been reported that this flaw only affects Internet Explorer 8, but that is only partly true. Some of the flawed code is also present in Internet Explorer 9, although Microsoft does not believe it can be exploited. It is certainly worth applying this fix anyhow, just in case the criminals have determined a way to exploit IE 9 users as well.

MS13-039 fixes a DoS (denial of service) vulnerability in the http.sys driver on Windows 8 and Windows Server 2012.

Any application that utilizes this Windows driver is vulnerable to DoS and this fix should be deployed as soon as possible on web application servers.

Adobe also released advisories today for ColdFusion, Flash Player and Reader/Acrobat.

adobe-170APSB13-13 fixes two vulnerabilities in ColdFusion, one is a RCE flaw and the other is an information disclosure vulnerability.

Adobe has reports of the information disclosure vulnerability being exploited in the wild, so users of ColdFusion should deploy this patch immediately.

APSB13-14 resolves 13 memory corruption vulnerabilities that could result in RCE in Adobe Flash Player. Adobe considers this a priority one patch for Windows, two for Mac OS X and three for other platforms.

As always the latest Flash Player is available from

Last, but not least, is APSB13-15 which resolves 27 vulnerabilities in Adobe Reader and Adobe Acrobat versions 9 through XI. Rather than detail them, let’s just say you need to patch it right away.

The latest version of Reader can be downloaded directly from