Microsoft's October 2013 Patch Tuesday security updates feature eight bulletins addressing 26 vulnerabilities,...
four of them critical, with the most notable patch addressing a recent Internet Explorer (IE) zero-day vulnerability.
The fix for the SetMouseCapture IE zero-day, first discovered by security firm FireEye in September, had been anticipated by security experts. Since its detection, FireEye uncovered at least three active attack campaigns exploiting the zero-day; one of which was traced back to Hidden Lynx, the China-based hacking group that is believed to be responsible for the data breach earlier this year at security vendor Bit9.
Though first observed only as part of targeted attacks based in limited regions, exploit code for the vulnerability spread dramatically after it was publically disclosed. Last week, the penetration-testing tool Metasploit released an attack module for the IE zero-day, which further increased the pressure on Microsoft to provide a patch.
Upon concluding its investigation of the zero-day, CVE-2013-3893, Microsoft said the vulnerability arose due to the way IE "accesses an object in memory that has been deleted or has not been properly allocated." Attackers could execute arbitrary code as a result, the Redmond, Wash.-based software giant clarified, saying that attackers could build a specific website designed to exploit the vulnerability and trick users into visiting it.
MS13-080, the first bulletin, actually serves as a cumulative security update that resolves a total of 10 vulnerabilities in the IE Web browser, with CVE-2013-3893 being the only one disclosed publically.
While security professionals around the world were probably aware of the high-profile zero-day, Ross Barrett, senior manager of security engineering at Boston-based vulnerability management vendor Rapid7, noted that a separate IE zero-day, CVE-2013-3897, is among the nine previously undisclosed vulnerabilities in the first bulletin. He noted that this second zero-day has also been used as part of targeted attacks.
"That's not to say that the remaining eight IE vulnerabilities are not potentially just as bad or worse," cautioned Barrett. "However, at least at this time, they are not known to be in use by the 'bad guys'."
Apart from the vital IE updates provide in MS13-080, Microsoft classified two other update releases at its highest deployment priority level. The first is MS13-081, which provides patches for seven issues across a range of Microsoft Windows versions. Among the private vulnerabilities patched by this release, the company said that the most severe could allow remote-code execution if users viewed content with embedded OpenType or TrueType font files. An attacker could potentially gain kernel-level system access via this vulnerability, though an active exploit has not currently been discovered.
The other high-priority release from Microsoft is MS13-083, which only addresses one issue found in multiple versions of both Microsoft Windows and Windows Server. The vulnerability is another that could allow code to be executed remotely if a system can receive certain requests from the ASP.NET Web application. Private reported, Microsoft warned that a successful exploit of this vulnerability could grant attackers the rights of local users. Barrett said the vulnerability presents a "potentially 'wormable' condition", cautioning that enterprise defenses could be tested if attackers craft an automated exploit based on it.
MS13-082 addresses the other 'critical' vulnerabilities in the October Patch Tuesday release. The most severe vulnerability of the bunch again allows remote code execution if a user visits a website containing a manipulate OpenType font file. The vulnerability is present in several versions of the Microsoft .NET Framework.
The four other updates are aimed at issues Microsoft deemed 'important', but Barrett advised enterprises to put their initial patch focus on the first four.
"Don't ignore them, but patch the other issues in this month’s advisory first if you have to make that kind of decision," Barrett said.