Today, right on schedule, Microsoft released 7 updates fixing 34 vulnerabilities in Windows, Internet Explorer, .NET and Windows Defender.
Adobe also released fixes for Adobe Flash Player, Adobe Shockwave Player and Adobe Cold Fusion fixing 6 vulnerabilities.
Either Adobe is making progress and getting the number of vulnerabilities down or a few of their engineers are on summer holiday… Time will tell.
The two most critical Microsoft fixes are MS13-053 and MS13-055.
The first addresses 8 vulnerabilities in the kernel mode font rendering engine in Windows, while the second fixes 17 flaws in Internet Explorer versions 6 through 10.
MS13-053 covers both publicly and privately disclosed flaws in TrueType font handling that could result in both remote code execution (RCE) and elevation of privilege (EoP).
SophosLabs notes that only two of these vulnerabilities can be exploited remotely, CVE-2013-3129 and CVE-2013-3660.
This raises a lot of questions that first came to light with one of the zero-day vulnerabilities exploited by Duqu in 2011.
Can someone at Microsoft please answer this question: “Why on earth does Windows accept arbitrary input (fonts) into the kernel? In fact, why does Windows use the kernel to render fonts!?!?”
Whether it should or shouldn’t doesn’t matter, because it does. Fix this one quick, as it has been used in targeted attacks and can be exploited through multiple vectors.
MS13-055 fixes vulnerabilities in all supported versions of Internet Explorer on all supported versions of Windows (except Core).
While these flaws were privately disclosed to Microsoft and are not known to be in the wild, it is critical to patch flaws that can result in remote code execution from a web browser.
These situations are sometimes referred to as “browse and 0wn” vulnerabilities, meaning by simply visiting a web page your computer can be “0wned” by the attacker.
SophosLabs suggest disabling ActiveX and Active Scripting as a mitigation against many of these vulnerabilities if you are unable to immediately deploy these fixes. This may result in reduced web functionality.
MS13-052 impacts .NET and Silverlight and includes both publicly and privately disclosed vulnerabilities.
Another remote code execution font issues is resolved in MS13-054 and impacts users of Visual Studio, Office, Lync and Windows.
You may see this referred to as the GDI bug. The Graphics Device Interface component of Windows renders what you see on the screen.
MS13-056 and MS13-057 address media file handling flaws that could result in RCE, while MS13-057 resolves an EoP in Windows Defender on Windows 7 as Paul documented earlier this week.
As always, Microsoft fixes are available through http://update.microsoft.com or through Microsoft’s website.
Adobe’s most important fix for today is APSB13-17 which resolves two RCEs and an integer overflow in Flash Player. Flash updates can be manually downloaded from http://get.adobe.com/flashplayer.
APSB13-18 fixes an RCE in Adobe Shockwave Player on Windows and Macintosh. The solution to this problem is to remove it from your computer. You don’t need it.
Lastly Adobe Cold Fusion received fix APSB13-19 which fixes two flaws that could result in denial of service (DoS) or inappropriate access privileges.
ColdFusion users are advised to read the full bulletin on Adobe’s website.
For all the latest analysis of these and other vulnerabilities by SophosLabs, please visit our Vulnerability page.
I know it is summer here in the Northern hemisphere and it can be a bit hot and sticky for many of us, but that doesn’t absolve us of the need to patch. Get on it!
3 comments on “July 2013 Patch Tuesday – Windows, IE, Flash, Shockwave and ColdFusion”
Alas, I downloaded 15 of the available patches as I normally do, but this time and for the very first time wiping out Mozilla Firefox, which now refuses to open and Skype, which opens and then closes straight away. I tried restoring to an earlier date, but this failed, the Microsoft explanation being that the anti-virus (AVG 2013 in my case) was probably stopping the process. I disabled it and tried again. It failed and offered the anti-virus explanation again. I'm now thinking of removing the patches one by one, a very laborious procedure. I also re-downloaded Firefox, also to no avail.
Wow. I'd be very irritated if Microsoft disabled Firefox. I am using Firefox 22 on Windows XP, SP3, with MS Security Essentials for an Antivirus. Went through all the MS updates with no problems. Skype Click-to-call for Firefox had been previously disabled as incompatible with Firefox 22, and I replaced it with the extension called Telify. I haven't used that extension yet, but Skype itself ran a script which caused an unacceptable lag when typing in Yahoo mail. I got rid of every trace of Skype, I'm with Firefox all the way, and will not tolerate anything which interferes with it. I'm reasonably happy with Security Essentials, and have not seen any trace of a virus except for that Skype behavior.
i installed july's updates but he same updates twice very weird