Microsoft Patches Windows Zero-Day Flaw, Serious TrueType Error


Microsoft plugged a high-profile Windows zero-day vulnerability and 33 other flaws across its product line as part of its July Patch Tuesday round of security updates.

The software giant issued seven bulletins Tuesday, six rated "critical," fixing flaws in Microsoft Office, Internet Explorer, DirectShow, .NET and Silverlight that could be remotely targeted by an attacker to gain access to critical systems or files.

Vulnerability management experts said patching administrators should give the priority to MS13-053. The bulletin fixes two publicly disclosed vulnerabilities and six privately reported flaws in Microsoft Windows. One of the two publicly disclosed flaws also had a Metasploit module created for it that allows an attacker to elevate system privileges.

[Related: Data Breach Costs: 10 Ways You're Making It Worse]

A Windows TrueType Font parsing vulnerability that appears in three separate security bulletins is of concern, because it can be found in a variety of Microsoft products, said Tyler Reguly, technical manager of the security research and development group at Portland, Ore.-based Tripwire.

"It increases the attack surface, giving a lot more ways to exploit the vulnerabilities," Reguly said. "It's one that exploits can be developed for."

The TrueType vulnerability appears in GDI+, a component in the Windows operating system that renders two-dimensional vector graphics throughout the Microsoft architecture, said Marc Maiffret, chief technology officer of San Diego, Calif.-based security firm BeyondTrust. Attackers can exploit the flaw in the font parsing engines in Windows, Office, Internet Explorer, Lync or Visual Studio to carry out the attack and take complete control of an affected system.

"We have seen TrueType font parsing vulnerabilities used as exploitation vectors with great success in targeted attacks, such as Stuxnet and Duqu," Maiffret said. "This will be a target for attackers in the near future."

The Internet Explorer bulletin MS13-055 addresses 17 vulnerabilities in Internet Explorer that can be used by an attacker to gain access to a victim's machine. The update is rated critical for all supported versions of the browser. Microsoft said it has not seen any attacks targeting the issues.

Microsoft also addressed remote code execution flaws in its media players. The company repaired an error in Microsoft DirectShow and its Windows Media Format Runtime Engine, as well as five vulnerabilities in the .NET Framework and Silverlight.

In addition to releasing security bulletins, Microsoft unveiled a new policy requiring developers that create apps made available through Windows Store, Windows Phone Store, Office Store and Azure Marketplace to repair security vulnerabilities within a specific time frame. The new policy requires developers to fix security vulnerabilities within six months. The company said it reserves the right to remove an app from the store that is being actively targeted or exceeds the six month threshold.

"We expect that developers will address all vulnerabilities much faster than 180 days. To date, no apps have come close to exceeding this deadline," Microsoft said in its announcement.

PUBLISHED JULY 9, 2013