Microsoft Security Bulletin Summary for October 2013

Number: AV13-036
Date: 09 October 2013

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary for October. The summary covers 8 bulletins (4 Critical and 4 Important), which address multiple vulnerabilities in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:

MS13-080 - Cumulative Security Update for Internet Explorer (2879017)
Details: The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker could possibly acquire the same user rights as the current user and potentially users with full administrative rights.
This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Internet Explorer.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Internet Explorer
CVE References: CVE-2013-3871, CVE-2013-3872, CVE-2013-3873, CVE-2013-3874, CVE-2013-3875, CVE-2013-3882, CVE-2013-3885, CVE-2013-3886, CVE-2013-3893, CVE-2013-3897
https://technet.microsoft.com/en-us/security/bulletin/ms13-080

MS13-081 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2870008)
Details: The most severe of these vulnerabilities could allow remote code execution if a user views shared content that embeds OpenType or TrueType font files. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. This security update resolves one publicly disclosed vulnerability and seven privately reported vulnerabilities in Microsoft Windows.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Permanent
Affected Product: Microsoft Windows
CVE References: CVE-2013-3128, CVE-2013-3200, CVE-2013-3879, CVE-2013-3880, CVE-2013-3881, CVE-2013-3888, CVE-2013-3894
https://technet.microsoft.com/en-us/security/bulletin/ms13-081

MS13-082 - Vulnerabilities in .NET Framework Could Allow Remote Code Execution (2878890)
Details: The most severe of the vulnerabilities could allow remote code execution if a user visits a website containing a specially crafted OpenType font (OTF) file using a browser capable of instantiating XBAP applications.
This security update resolves two privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft .NET Framework.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 2 – Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index: Permanent
Affected Products: Microsoft Windows, Microsoft .NET Framework
CVE References: CVE-2013-3128, CVE-2013-3860, CVE-2013-3861
http://technet.microsoft.com/en-us/security/bulletin/ms13-082

MS13-083 - Vulnerability in Windows Common Control Library Could Allow Remote Code Execution (2864058)
Details: The vulnerability could allow remote code execution if an attacker sends a specially crafted web request to an ASP.NET web application running on an affected system. An attacker could exploit this vulnerability without authentication to run arbitrary code. This security update resolves a privately reported vulnerability in Microsoft Windows.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Windows
CVE References: CVE-2013-3195
https://technet.microsoft.com/en-us/security/bulletin/ms13-083

MS13-084 - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2885089)
Details: The most severe vulnerability could allow remote code execution if a user opens a specially crafted Office file in an affected version of Microsoft SharePoint Server, Microsoft Office Services, or Web Apps. This security update resolves two privately reported vulnerabilities in Microsoft Office server software.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Important
Maximum Exploitability Index: 2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Products: Microsoft Office, Microsoft Server Software
CVE References: CVE-2013-3889, CVE-2013-3895
https://technet.microsoft.com/en-us/security/bulletin/ms13-084

MS13-085 - Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2885080)
Details: The vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update resolves two privately reported vulnerabilities in Microsoft Office.
Security Impact: Remote Code Execution
Aggregate Severity Rating: Important
Maximum Exploitability Index: 2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Office
CVE References: CVE-2013-3889, CVE-2013-3890
https://technet.microsoft.com/en-us/security/bulletin/ms13-085

MS13-086 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (2885084)
Details: This security update resolves two privately reported vulnerabilities in Microsoft Office.
The vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word or other affected Microsoft Office software. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Security Impact: Remote Code Execution
Aggregate Severity Rating: Important
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Office
CVE References: CVE-2013-3891, CVE-2013-3892
https://technet.microsoft.com/en-us/security/bulletin/ms13-086

MS13-087 - Vulnerability in Silverlight Could Allow Information Disclosure (2890788)
Details: The vulnerability could allow information disclosure if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger message that takes them to the attacker’s website. It could also be possible to display specially crafted web content by using banner advertisements or by using other methods to deliver web content to affected systems. This security update resolves a privately reported vulnerability in Microsoft Silverlight.
Security Impact: Not Applicable
Aggregate Severity Rating: Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index: Not Applicable
Affected Product: Microsoft Silverlight
CVE References: CVE-2013-3896
https://technet.microsoft.com/en-us/security/bulletin/ms13-087

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: