Microsoft is not patching a second zero-day in its Office product suite yet, but they have built a work-around for it. Known as the TIFF zero-day, researchers from SpiderLabs wrote on their blog that Microsoft’s FixIt tool should mitigate the issue until Microsoft patches it with what will likely be an out-of-band patch before next month’s Patch Tuesday release.
Ross Barrett, senior manager of security engineering at Rapid7, noted in an email conversation with Threatpost that Microsoft’s failure to patch the TIFF bug is frustrating, but that they are seeing a very limited, targeted exploitation of the vulnerability – only in a specific region – and requiring user interaction to exploit. He is, therefore, saying that he wouldn’t worry about it too much.
Beyond these, MS13-088, Microsoft’s cumulative update for Internet Explorer, which is not related to the zero-days, is likely the next highest-priority fix for network operators. It resolves 10 privately reported bugs, the most severe of which could allow for remote code execution again if a user views a maliciously crafted webpage in Internet Explorer, thus granting an attacker the same user rights as the current user. The impact would once again depend on the level of rights the victim has on the browser.
The other critically rated bug resolves an issue in Windows’ graphics device interface and could also enable remote code execution if a user views or opens a specially crafted Windows Write file in WordPad. Again, users with less rights will be less impacted.
The remaining, important-rated bulletins, MS13-091 through MS13-095, resolve seven publicly and privately reported bugs: a remote code execution vulnerability in Office, an elevation of privileges flaw in Hyper-V, information disclosures in the Windows ancillary function driver and Outlook, and a denial of service problem in Windows digital signatures.
Tyler Reguly, a technical manager of security research and development at Tripwire, told Threatpost that the most interesting important-rated bugs are likely the Outlook vulnerability, which could enable port-scanning, and the Hyper-V vulnerability, because it could allow Guest OS to Guest OS code execution, and an X.509 issue in schannel.dll that could allow denial of service.
“Overall, while it is only a medium-sized Patch Tuesday, pay special attention to the two 0-days and the Internet Explorer update,” wrote Wolfgang Kandek, CTO of the IT security firm Qualys, in his analysis of the patch release. “Browsers continue to be the favorite target for attackers, and Internet Explorer, with its leading market share, is one of the most visible and likely targets.”
Source : Threatpost
No comments