This November Patch Tuesday will be a busy one for IT, especially for the many organizations that use IE. Eight bulletins, three rated critical, were released by Microsoft. This slideshow features a rundown of the November updates, provided by Paul Henry, security and forensic expert at Lumension.
Click through for a summary of the patches for November, provided by Paul Henry, security and forensic expert at Lumension.
The first on your list of priorities should be MS13-088. This is a critical, cumulative update for IE going back to IE 6 and covers 10 CVEs.
Second on your list of priorities is MS13-089, which addresses a vulnerability in Windows Graphics Device Interface (GDI) that could allow a remote code execution in all versions of Windows. We have seen this type of issue before. In previous related GDI issues, the vulnerability was caused by improper parsing of TrueType fonts (TTF) in shared content. The vulnerability could be exploited if an attacker crafts a malicious file or website and convinces a user to download the file or open an attachment. The attacker would receive the same level of privilege as the running application that was using the GDI interface.
Third in priority should likely be the final critical bulletin this month, MS13-090. This is an update rollup affecting an IE ActiveX control, including CVE-2013-3918 which Microsoft first publicly disclosed Friday, November 8.
The remaining patches shake out with an important rating. MS13-091 covers three CVEs for Microsoft Office. MS13-092 is another important-rated patch for a vulnerability in Hyper-V that could allow an elevation of privilege and it covers one CVE.
MS13-093 addresses vulnerabilities in Windows Ancillary Function Driver that could allow information disclosure. MS13-094 resolves a publicly disclosed vulnerability in Microsoft Outlook that could allow information disclosure if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. MS13-095 patches a vulnerability in XML digital signatures that could allow denial of service.
Last week, Microsoft released Security Advisory 2896666, a fix it for CVE-2013-3906, which is the graphics vulnerability, exploited through Word. This was not addressed in the November patches so, for anyone running XP with Windows 2007, the Security Advisory remains your go-to. Or, upgrade from Windows XP which you’ll need to do by the April end of life date anyway.
Additionally, Microsoft has released three new Security Advisories and updated two others. First is the update for vulnerabilities in Adobe Flash Player for IE 10. This is Security Advisory 2755801. For a vulnerability in Direct Access that could allow a security feature bypass, check out Security Advisory 2862152. This advisory will require specific configuration however and Microsoft has supplied instructions within. Security Advisory 2868725 has also been released to disable RC4 on Windows 7, Server 2008 R2, Windows 8 and Windows Server 2012. (Protection is already built in for Win 8.1 and Server 2012 R2.) Migration is obviously your best long-term path here.
Two advisories have also been updated this Patch Tuesday. New bits for vulnerabilities in Adobe Flash Player in IE 10 are available from SA 2755801 and updates to improve cryptography and digital certificate handling in Windows can be found in SA 2868725.