Microsoft has issued fixes for critical vulnerabilities in its Internet Explorer, Exchange Server and Unicode Scripts Processor services in its latest patch Tuesday update.
The patch rollout included eight security bulletins addressing 23
vulnerabilities. The most serious are the MS13-059 Internet Explorer,
MS13-060 Unicode Scripts Processor and MS13-061 Microsoft Exchange
Server updates, which are all listed as critical fixes.
Qualys chief technology officer Wolfgang Kandek listed the Internet
Explorer vulnerabilities as being particularly dangerous as they exist
in multiple versions of the web browser.
"For MS13-059, the affected software is Internet Explorer (IE) and is
definitely installed. It fixes 11 vulnerabilities in all versions of IE
from IE6 to IE10 on Windows RT. It is rated ‘critical' on all operating
systems and should be installed as soon as possible, as its
exploitation index is a low ‘1', indicating that Microsoft believes that
exploit code can be crafted relatively quickly (within 30 days)," he
"As usual with IE vulnerabilities, the attack vector would be a
malicious webpage, either exploited by the attacker or it could be sent
to the victim in a spear-phishing email. Patch this immediately as the
highest priority on your desktop system and wherever your users browse
Kandek said the other two critical vulnerabilities, while serious,
relate to more specific versions of Windows or have already been patched
by other companies, meaning most businesses with up-to-date systems
should be safe.
"MS13-060 addresses a font vulnerability in the Bangali font, part of
the Indic language pack. MS13-060 can only be exploited in Windows XP,
so your organisation might escape this patch if the language pack is not
installed or if you are not running on XP anymore," he said.
"The critical bulletin MS13-061 addresses three vulnerabilities in
Microsoft Exchange that can be traced back to the third-party library
Outside In from Oracle. Oracle published new versions of Outside In in
April and July, and Microsoft has incorporated these new versions in
He added that while other vulnerabilities addressed in the patch
update are lower priority, the three critical releases should act as a
stark reminder for businesses to follow cyber best practice guidelines
and install fixes as soon as possible.
"Overall [it was] a normal Patch Tuesday with the Internet Explorer
patch, which is now a normal monthly occurrence and the expected
Microsoft Exchange fixes for the Oracle library Outside In, plus a good
reminder of the Windows XP end-of-life," he said.
Patch Tuesday is a monthly event for Microsoft, where it releases
fixes for newly discovered vulnerabilities in its services. Last month
the patch rollout saw the tech giant release fixes for six critical vulnerabilities in its .Net Framework and Silverlight packages.