IT WAS TIME for Microsoft to patch its critical bugs again yesterday, and this month the company issued eight bulletins addressing 23 vulnerabilities in August's Patch Tuesday.
Three of the eight patches - MS13-059, MS13-060 and MS13-061 - were rated "critical", with the first affecting Internet Explorer (IE), a patch that Microsoft advised users to install as quickly as possible.
Patch MS13-059 fixes 11 vulnerabilities in all versions of IE from IE6 to IE10.
"[This patch] is rated 'critical' on all operating systems and should be installed as soon as possible, as its exploitation index is a low '1', indicating that Microsoft believes that exploit code can be crafted relatively quickly (within 30 days)," security firm Qualys' CTO Wolfgang Kandek said.
The attack vector in such a case would be a malicious webpage, either exploited by the attacker or sent to the victim in a spear-phishing e-mail.
"Patch this immediately as the highest priority on your desktop system and wherever your users browse the web," Kandek warned.
As for critical patch MS13-060, Microsoft has addressed a font vulnerability in the Bangali font, part of the Indic language pack. However, this vulnerability can only be exploited in Windows XP, so it can be avoided if the language pack is not installed or if users are not running Windows XP.
The third and final critical bulletin MS13-061 addresses three vulnerabilities in Microsoft Exchange that can be traced back to the third-party library Outside In from Oracle. Oracle published new versions of the library in April and July, and Microsoft has incorporated these new versions in its August Patch Tuesday update.
Microsoft also introduced two patches for address space layout randomisation (ASLR) bypasses this month in MS13-059 for IE and MS13-063 in the Windows kernel. Both of these came from the Cansecwest Pwn2Own competition this year, showing that Microsoft has finally acknowledged the danger mitigation bypasses can bring.
Microsoft has pulled patch MS13-061 that covered Exchange 2013 because it causes a corruption of the index database. Security companies are advising that, if you have Exchange 2013 and have not installed MS13061 yet, then wait.
Those that have installed it and their installation is showing signs of the issue, they should take a look at update KB2879739 for a workaround involving the editing of registry keys. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted