Microsoft announced eight bulletins for November's Patch Tuesday release , addressing 19 unique vulnerabilities in Microsoft software, including Internet Explorer, Hyper-V, the Graphics Device Interface (GDI), Office, and others. The zero-day vulnerability in Internet Explorer disclosed by FireEye over the weekend has also been fixed.
Of the advisories, the three most critical patches are the Interent Explorer patch (MS13-088), GDI (MS13-089), and the zero-day flaw in ActiveX control which affected several versions of Internet Explorer (MS13-090), security experts said.
"Bulletin MS13-090 addresses the publicly-known issue in ActiveX Control, currently under targeted attacks. Customers with automatic updates enabled are protected against this vulnerability and do not need to take any action," said Dustin Childs, group manager of Microsoft Trustworthy Computing.
Microsoft's security team has had a busy few days. Last week, security firm FireEye notified Microsoft of serious vulnerabilities in Internet Explorer, but it appears the team already knew about them as the ActiveX control patch (MS13-090) fixes the InformationCardSignInHelper flaw. Attackers have already targeted the bug in a watering-hole-style attack, and exploit code appeared on text-sharing site Pastebin this morning, making this a high-priority issue.
Microsoft also disclosed a zero-day vulnerability in how some versions of Microsoft Windows and older versions of Microsoft Office handled the TIFF graphics format. There is no patch available addressing this flaw in this Patch Tuesday release, so users who have not yet installed the FixIt temporary workaround should consider doing so as soon as possible.
"At-risk and high-value systems should have mitigations in place already," said Ross Barrett, senior manager of security engineering at Rapid7.
Another IE patch (MS13-088) fixed two information disclosure bugs and eight memory corruption issues in various versions of the web browser. Two of the vulnerabilities affect every version of IE, from versions 6 through 11, the latest version. While attacks exploiting these vulnerabilities have not yet been reported, the fact that so many versions of Windows and Internet Explorer are affected means this patch should be rolled out as soon as possible.
Attackers could exploit these flaws by creating a malicious web page and convincing users to view the page to trigger a drive-by-download attack, Maiffret said.
The third highest priority bulletin (MS13-089) fixes a GDI bug, which affects every supported version of Windows from XP to Windows 8.1. Since attackers need to create a malicious file and convince users to open it in WordPad to exploit this vulnerability, this is not a simple browse-and-get-owned scenario, warned Maiffret. However, it is "still potent, due to the fact that it affects every version of supported Windows," he said.
The attacker would receive the same level of privilege as the running application that was using the GDI interface.
Several experts called this month's Patch Tuesday "straightfoward" because the fixes focused on Windows, Internet Explorer and some Office components. There were "nothing esoteric or difficult to patch," such as SharePoint plugins or the .NET framework, said Barrett. The remaining patches addressed vulnerabilities in various versions of Microsoft Office (MS13-091), an information disclosure vulnerability in newer versions of Office (MS13-094), an elevation of privilege flaw in Hyper-V (MS13-092) in Windows 8 and Server 2012 R2, an information disclosure bug in Windows (MS13-093), and a denial of service (MS13-095) issue in the operating system.
"Overall, while it is only a medium-sized Patch Tuesday, pay special attention to the two 0-days and the Internet Explorer update. Browsers continue to be the favorite target for attackers and Internet Explorer, with its leading market share, is one of the most visible and likely targets," said Wolfgang Kandek, CTO of Qualys.