Microsoft releases critical fixes for IE and Exchange Server
Posted on 13 August 2013.
There's a remotely exploitable, publicly disclosed, critical remote code execution vulnerability in Microsoft Exchange (MS13-061)! But wait, is it really remotely exploitable? Well, not in the sense that user interaction is not required, it's a parser issue that is only triggered by a user opening a malicious message in Outlook Web Access (OWA).

Okay, but it's still publicly disclosed right? I mean this is out there? The bad guys have it, right? Well, not exactly. It's public in the sense that this vulnerability is in a third party component (Oracle's to be precise) which has already been patched by the "upstream" vendor. There have been no reports of active exploitation in the wild.

Well fine then. It's still MS Exchange right? Yes, sure, it is still an Exchange issue and odds are you have that in your organization. You might even have some people who routinely use OWA. You should patch this in your next maintenance window.

Also important, critical even, in this month's collection is the mandatory IE patch rollup (MS13-059), featuring a fix for one of the 2013 pwn2own winners. That's only a 5 month turnaround for a fix, fast by MS standards. The other critical this month is MS13-060 which is a flaw in Unicode text parsing. A user would have to be induced to open a malicious file and this only affects Windows XP and 2003. Both of these issues should be patched ASAP.

Perhaps the most genuinely interesting vulnerability this month is MS13-062 which is reported as an Elevation of Privilege because it's a post authentication issue in RPC. Microsoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.

There's also a mixed bag of privilege elevation and denial of service issues, and one information disclosure. You shouldn't ignore these, but don't lose additional sleep over them. MS13-064 only affects Server 2012 performing NAT, and is limited to exploitation from the local network, but is a persistent DoS (server restart required to clear). If you're in the business of securing networks and those are your biggest concerns, then you are doing far better than most... Assuming you have confidence that Microsoft has the best exploit writers in the world and no one out there can figure out how to turn that DoS into code execution.


Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.





Spotlight

Review: Bulletproof SSL and TLS

Posted on 12 September 2014.  |  Deploying SSL or TLS in a secure way is a great challenge for system administrators. This book aims to simplify that challenge by offering extensive knowledge and good advice - all in one place.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Mon, Sep 15th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //