Microsoft released eight new security bulletins for the
November Patch Tuesday, bringing the total for 2013 to 95 security bulletins so
far. With only three Critical, and five Important security bulletins, it’s a
generally light month for IT admins.
The two highest priorities are MS13-088 – the Cumulative
Update for Internet Explorer, and MS13-090 – a Cumulative Security Update for
ActiveX Kill Bits, which addresses a zero-day vulnerability that is already
being actively exploited in the wild. Aside from those two, the security
bulletins this month are relatively tame, and IT admins should be able to enjoy
the Thanksgiving break with some peace of mind.
This blog post is also
available in the PDF format in a TechRepublic Download. Falling behind on
your patch deployments, catch
up with previously published Microsoft Patch Tuesday blog posts.
This month’s eight security bulletins address a total of 19
separate vulnerabilities spanning Internet Explorer, Microsoft Office, Hyper-V virtualization,
the Graphics Device Interface (GDI), and more.
/ KB2888505 – Cumulative Security Update for Internet Explorer
More than half of the vulnerabilities this month are
addressed with this one update. MS13-088 resolves ten separate vulnerabilities
affecting all versions of Internet Explorer from IE6 to IE11. Two of the flaws
could allow information disclosure, and the remaining eight are memory
corruption issues that could be exploited to enable an attacker to execute
malicious code remotely on the vulnerable system. There are no known exploits
in the wild currently for these vulnerabilities, but an attacker could execute
an exploit by crafting a malicious Web page and luring users to visit it.
Editor’s note (11-15): According to sister-site ZDNet, not all of the vulnerabilities listed in MS13-088 were actually patched.
/ KB2876331 – Vulnerability in Windows Graphics Device Interface
Could Allow Remote Code Execution
This security bulletin is rated as Critical by Microsoft because
the flaw could allow an attacker to execute malicious code remotely on the
target system, and the flaw impacts all supported versions of Windows from
Windows XP to Windows 8.1. The severity, however, is tempered significantly by
the fact that an attacker would have to create a malicious file, and somehow
convince a user to open it using WordPad – an application that very few people
/ KB2900986 – Cumulative Security Update of ActiveX Kill Bits
MS13-090 is an urgent update for two reasons. First, a
successful exploit of the vulnerability enables the attacker to execute
malicious code on the compromised system. Second, this is a zero-day flaw that
is already being actively exploited in the wild. A specially-crafted malicious
Web page can be used to trigger the flawed ActiveX control and compromise the
system. All desktop versions of Windows are affected, but the potential threat
can be minimized by ensuring users don’t operate with full administrator
/ KB2885093 – Vulnerabilities in Microsoft Office Could Allow Remote
This security bulletin addresses three vulnerabilities in
Microsoft Office – impacting Office 2003, 2007, 2010, and 2013. One of the
three vulnerabilities spans all versions of Office, and will probably be the
one attackers will focus their attention on. The security bulletin is only rated
as Important by Microsoft, but because Microsoft Office is so pervasive, and a
successful attack could lead to remote code execution, this patch should be a
/ KB2893986 – Vulnerability in Hyper-V Could Allow Elevation of
The threat from MS130-092 is relatively limited. The
vulnerability is specific to Windows 8 and Windows Server 2012 – Windows 8.1
and Windows Server 2012 R2 are unaffected. A successful attack could lead to an
elevation of privilege, or to a denial of service by crashing the hypervisor,
but the attacker would first need access to a guest virtual machine running
within the Hyper-V host in order to pass a specially crafted hypercall to trigger
/ KB2875783 – Vulnerability in Windows Ancillary Function Driver
Could Allow Information Disclosure
This flaw poses very little risk. A memory disclosure
vulnerability in the Windows ancillary function driver can lead to an elevation
of privilege, and possible information disclosure. However, the attacker has to
first be logged on to the vulnerable system with valid local credentials, and
then execute a specially-crafted application to trigger the flaw. A remote
attacker would first need to successfully exploit some other flaw to gain
control of the target system before this flaw could be a threat.
/ KB2894514 – Vulnerability in Microsoft Outlook Could Allow
This is a publicly disclosed vulnerability that affects
Outlook 2007, 2010, and 2013. If an attacker tricks a user into opening a
specially-crafted malicious email message using an affected version of Outlook,
it could lead to information disclosure. The attacker may be able to extract
details such as IP address, open TCP ports, and other sensitive information.
/ KB2868626 – Vulnerability in Digital Signatures Could Allow Denial
MS13-095 also poses virtually no real risk in and of itself.
A flaw in how Microsoft interprets digital signatures can be exploited with a
specially-crafted X.509 certificate to crash the affected system and cause a
denial of service condition.
Two previous patch day articles:
Microsoft Patch Tuesday: October 2013
Microsoft Patch Tuesday: September 2013