Patch Tuesday: Microsoft Fixes Critical Zero-Day Flaw, Issues Browser Update


Microsoft is repairing a critical vulnerability being actively used in zero-day attacks against its core graphics engine, but engineers are still working on a fix to a second known flaw in its Windows XP operating system.

A patch for the kernel-level graphical device interface was part of the company's December 2013 Patch Tuesday security updates. The Redmond, Wash.-based software maker repaired 24 flaws across its product line, releasing 11 bulletins this month, including five rated critical that address serious flaws in Internet Explorer, Windows, Microsoft Exchange and Microsoft Office.

The company issued an advisory in November acknowledging ongoing zero-day attacks targeting an error in the way Windows handles TIFF graphics files. The threat impacts users of Microsoft Office 2003 through 2010 as well as all supported versions of Microsoft Lync running on Windows XP, Windows Vista and Windows 7.

[Related: Top 5 Zero-Day Threats Of 2013]

A known zero-day vulnerability that surfaced last week in Windows XP remains open while engineers work on a patch. Security experts are downplaying the threat associated with the second zero-day, because an attacker would need local access to Windows XP in order to fully exploit the error to gain elevation of privileges on the system. "We recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems," wrote Dustin Childs, group manager of response communications in Microsoft's Trustworthy Computing unit, in the Microsoft Security Response blog.

IT teams need to look carefully at the impact of zero-day vulnerabilities across the organization, say security experts who point to a string of zero-day exploits that have been used in targeted attacks this year. Businesses are already struggling to maintain basic security controls, said Chris Camejo, who heads assessment services at managed service provider NTT Com Security. Zero-days are helping the offense win, Camejo said.

"There's a big market out there for zero-days with all kinds of threat actors out there who could potentially use them," Camejo told CRN.

In addition to the update fixing the zero-day vulnerability, solution providers told CRN that businesses should address an update repairing seven flaws in Internet Explorer. A coding error in Microsoft's Scripting Runtime Object Library is also a serious problem, they say. Attackers could use both updates in drive-by attacks or to get users to visit a malicious website.

Attackers can target flaws in the browser and scripting engine on all currently supported versions of Windows, which means fixing them should be a priority, said Wolfgang Kandek, chief technical officer at vulnerability management vendor Qualys Inc.

Kandek said patching administrators should also look at Microsoft's update to Exchange Server, which resolves three vulnerabilities addressing errors in Outlook Web Access and a cross-site scripting error. A successful attack could enable a complete takeover of the mail server, Kandek said. The patches update the Oracle Outside-In Libraries and impact users of Exchange Server 2007, 2010 and 2013. "There haven't been any active attacks in the wild, but the information is available for someone to create an attack targeting Microsoft Exchange fairly quickly," Kandek said.

Microsoft also addressed a vulnerability in Microsoft Office. The software maker said it has detected attacks targeting the coding error, which impacts users of Office 2013. An attack could expose access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site, Microsoft said. In addition, Microsoft issued repairs to SharePoint Server, the Windows kernel and Microsoft Office.

PUBLISHED DEC. 10, 2013