Microsoft, Adobe Patch Critical Vulnerabilities in Security Updates

In a sweeping Patch Tuesday update, Microsoft plugs nearly three dozen security holes in Windows, Internet Explorer and other products.

Microsoft and Adobe Systems released a series of critical security updates for their customers to close down security holes before hackers sneak in.

As part of Patch Tuesday, Microsoft issued patches for 34 vulnerabilities across its product lines. Six of the seven bulletins this month are rated "Critical," while the remaining bulletin is considered "Important." The critical bulletins cover issues across a number of products, including Windows, GDI+, Silverlight and the .NET Framework. The biggest set of critical vulnerabilities patched in the update however reside in Internet Explorer.

"Internet Explorer vulnerabilities this month made up exactly half of the CVEs addressed in the July bulletin," noted Craig Young, a security researcher at Tripwire. "This is particularly alarming because 16 of the 17 issues addressed are memory corruption vulnerabilities—many of which Microsoft expects could be reliably exploited in the next 30 days. What's more, this comes on the heels of a particularly large June Internet Explorer update."

Still, a vulnerability unrelated to IE—CVE-2013-3129—may be of the most concern to organizations, as it is mentioned in three separate bulletins. The bug is a remote code execution vulnerability and exists due to how certain Windows components handle TrueType font files. CVE-2013-3129 is mentioned in bulletins MS13-052, MS13-053 and MS13-054 and affects several software packages, including Office, Visual Studio and Silverlight.

"Every Windows system has TrueType font files," explained Tommy Chin, technical support engineer at Core Security. "Attackers can social engineer potential victims to view a crafted file with malicious TrueType content. Successful attacks can give the attacker not only access to the affected system, but since it's in kernel-mode, it's administrator access. It's remote code execution and privilege escalation all in one. The scenario I can see with these types of open doors is the potential leakage and contamination of intellectual software property."

Several experts suggested organizations start their patching by prioritizing MS13-053, which addresses eight vulnerabilities within the Windows kernel—including CVE-2013-3660, which was detailed on the Full Disclosure mailing list earlier this year. Since exploit code for the vulnerability is already public, it is likely attackers will be focused on targeting it, said Marc Maiffret, CTO of BeyondTrust. According to Microsoft, in most scenarios, an attacker who successfully exploits this vulnerability could escalate privileges on the targeted system. It is also theoretically possible, however, for an attacker to achieve remote code execution, though this is unlikely due to memory randomization, Microsoft stated.

The only non-critical bulletin this month concerns a privately reported issue in Windows Defender for Windows 7 and Windows Defender installed on Windows Server 2008 R2 that could allow an attacker to elevate privilege.

The Microsoft updates are not the only concern for administrators however. Adobe also pushed out patches Tuesday for Flash Player, ColdFusion and Shockwave Player. Adobe has said it is unaware of any ongoing attempts to exploit the vulnerabilities currently in the wild. Several of the bugs though are considered critical, so Adobe recommends users upgrade to the latest versions as soon as possible.