Microsoft has fixed 23 vulnerabilities in five security bulletins as part of its June Patch release. Of the fixed bugs, 19 were in Internet Explorer.
The memory corruption vulnerabilities affected all supported versions of Internet Explorer web browsers running on all supported operating systems, according to Microsoft’s Patch Security advisory. The IE bulletin (MS13-047) is the only one rated as critical this month, while the remaining four bulletins were rated as important.
Marc Maiffret, CTO at BeyondTrust, said that four of the issues affected every single supported version of IE, suggesting that attackers are most likely to go after these vulnerabilities before attempting to use the others.
“Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage,” agreed Wolfgang Kandek, CTO of Qualys.
Another high priority bulletin addressed vulnerabilities in Microsoft Office (MS13-051). The parsing vulnerability of the PNG graphic format in Office 2003 on Windows and 2011 for Mac OS X is currently being targeted in the wild in limited attacks, according to Microsoft.
The “only reason” Microsoft did not tag the Office bulletin as critical is because of the small number of platforms that are affected, said Ross Barrett, senior manager of security engineering at Rapid7. Attackers interested in exploiting this flaw could use a booby-trapped Word document.
The remaining bulletins addressed an information disclosure vulnerability (MS13-048), a denial-of-service problem in the TCP/IP stack (MS13-049) and a local privilege escalation vulnerability in Windows Print Spooler (MS13-050), according to Microsoft. The DoS bugaffects newer versions of Windows, from Vista to Windows 8 and Server 2008 to Server 2012. The flaw is only a local vulnerability for Vista, Windows 7 and Server 2008, but on Windows 8 and Server 2012, the bug can be exploited across the network.”
It’s surprising that newer versions of Windows are more susceptible to this bug than the older versions,” said Lamar Bailey, director of security research at Tripwire. “Newer is not always better,” he added.
Microsoft did not close the kernel elevation of privilege vulnerability disclosed by Google employee Tavis Ormandy earlier this month as part of this patch release. A proof-of concept exploit is already available, so it is reasonable to assume “the underground is working to make that vulnerability part of their arsenal,” Kandek said, who predicted the fix will be part of July’s Patch Tuesday update. Barrett did not think an out-of-band patch was likely for just a local kernel bug.
All in all, it’s a fairly small patch release, but considering Apple’s recent Mac OS X update and Adobe’s Flash update, administrators will still be busy.Leave a comment on this article