July 2013 Patch Tuesday – Windows, IE, Flash, Shockwave and ColdFusion

Patch Tuesday

Patch TuesdayToday, right on schedule, Microsoft released 7 updates fixing 34 vulnerabilities in Windows, Internet Explorer, .NET and Windows Defender.

Adobe also released fixes for Adobe Flash Player, Adobe Shockwave Player and Adobe Cold Fusion fixing 6 vulnerabilities.

Either Adobe is making progress and getting the number of vulnerabilities down or a few of their engineers are on summer holiday… Time will tell.

The two most critical Microsoft fixes are MS13-053 and MS13-055.

The first addresses 8 vulnerabilities in the kernel mode font rendering engine in Windows, while the second fixes 17 flaws in Internet Explorer versions 6 through 10.

MS13-053 covers both publicly and privately disclosed flaws in TrueType font handling that could result in both remote code execution (RCE) and elevation of privilege (EoP).

SophosLabs notes that only two of these vulnerabilities can be exploited remotely, CVE-2013-3129 and CVE-2013-3660.

This raises a lot of questions that first came to light with one of the zero-day vulnerabilities exploited by Duqu in 2011.

Can someone at Microsoft please answer this question: “Why on earth does Windows accept arbitrary input (fonts) into the kernel? In fact, why does Windows use the kernel to render fonts!?!?”

Whether it should or shouldn’t doesn’t matter, because it does. Fix this one quick, as it has been used in targeted attacks and can be exploited through multiple vectors.

Internet ExplorerMS13-055 fixes vulnerabilities in all supported versions of Internet Explorer on all supported versions of Windows (except Core).

While these flaws were privately disclosed to Microsoft and are not known to be in the wild, it is critical to patch flaws that can result in remote code execution from a web browser.

These situations are sometimes referred to as “browse and 0wn” vulnerabilities, meaning by simply visiting a web page your computer can be “0wned” by the attacker.

SophosLabs suggest disabling ActiveX and Active Scripting as a mitigation against many of these vulnerabilities if you are unable to immediately deploy these fixes. This may result in reduced web functionality.

MS13-052 impacts .NET and Silverlight and includes both publicly and privately disclosed vulnerabilities.

Another remote code execution font issues is resolved in MS13-054 and impacts users of Visual Studio, Office, Lync and Windows.

You may see this referred to as the GDI bug. The Graphics Device Interface component of Windows renders what you see on the screen.

MS13-056 and MS13-057 address media file handling flaws that could result in RCE, while MS13-057 resolves an EoP in Windows Defender on Windows 7 as Paul documented earlier this week.

As always, Microsoft fixes are available through http://update.microsoft.com or through Microsoft’s website.

adobe-170Adobe’s most important fix for today is APSB13-17 which resolves two RCEs and an integer overflow in Flash Player. Flash updates can be manually downloaded from http://get.adobe.com/flashplayer.

APSB13-18 fixes an RCE in Adobe Shockwave Player on Windows and Macintosh. The solution to this problem is to remove it from your computer. You don’t need it.

Lastly Adobe Cold Fusion received fix APSB13-19 which fixes two flaws that could result in denial of service (DoS) or inappropriate access privileges.

ColdFusion users are advised to read the full bulletin on Adobe’s website.

For all the latest analysis of these and other vulnerabilities by SophosLabs, please visit our Vulnerability page.

I know it is summer here in the Northern hemisphere and it can be a bit hot and sticky for many of us, but that doesn’t absolve us of the need to patch. Get on it!