Wednesday, 14 August 2013

Microsoft fixes critical flaws in Internet Explorer, Exchange Server and Unicode Scripts Processor

Microsoft has issued fixes for critical vulnerabilities in its Internet Explorer, Exchange Server and Unicode Scripts Processor services in its latest patch Tuesday update.
The patch rollout included eight security bulletins addressing 23 vulnerabilities. The most serious are the MS13-059 Internet Explorer, MS13-060 Unicode Scripts Processor and MS13-061 Microsoft Exchange Server updates, which are all listed as critical fixes.
Qualys chief technology officer Wolfgang Kandek listed the Internet Explorer vulnerabilities as being particularly dangerous as they exist in multiple versions of the web browser.
"For MS13-059, the affected software is Internet Explorer (IE) and is definitely installed. It fixes 11 vulnerabilities in all versions of IE from IE6 to IE10 on Windows RT. It is rated ‘critical' on all operating systems and should be installed as soon as possible, as its exploitation index is a low ‘1', indicating that Microsoft believes that exploit code can be crafted relatively quickly (within 30 days)," he said.
"As usual with IE vulnerabilities, the attack vector would be a malicious webpage, either exploited by the attacker or it could be sent to the victim in a spear-phishing email. Patch this immediately as the highest priority on your desktop system and wherever your users browse the web."
Kandek said the other two critical vulnerabilities, while serious, relate to more specific versions of Windows or have already been patched by other companies, meaning most businesses with up-to-date systems should be safe.
"MS13-060 addresses a font vulnerability in the Bangali font, part of the Indic language pack. MS13-060 can only be exploited in Windows XP, so your organisation might escape this patch if the language pack is not installed or if you are not running on XP anymore," he said.
"The critical bulletin MS13-061 addresses three vulnerabilities in Microsoft Exchange that can be traced back to the third-party library Outside In from Oracle. Oracle published new versions of Outside In in April and July, and Microsoft has incorporated these new versions in this update."
He added that while other vulnerabilities addressed in the patch update are lower priority, the three critical releases should act as a stark reminder for businesses to follow cyber best practice guidelines and install fixes as soon as possible.
"Overall [it was] a normal Patch Tuesday with the Internet Explorer patch, which is now a normal monthly occurrence and the expected Microsoft Exchange fixes for the Oracle library Outside In, plus a good reminder of the Windows XP end-of-life," he said.
Patch Tuesday is a monthly event for Microsoft, where it releases fixes for newly discovered vulnerabilities in its services. Last month the patch rollout saw the tech giant release fixes for six critical vulnerabilities in its .Net Framework and Silverlight packages.

No comments:

Post a Comment