Three of the fixes, or bulletins, were deemed “critical” because they addressed bugs that all allowed remote code execution (RCE) after a user opened a malicious file or viewed an infected web page.
The highest-priority patch appears to be MS13-059, which resolves 11 vulnerabilities affecting Internet Explorer, from IE 6 running on Windows XP to IE 10 running on Windows 8 and RT tablets. The bulletin patched “severe vulnerabilities” that could allow an attacker to obtain the same user rights as victims who visit an infected web page.
Wolfgang Kandek, CTO at Redwood City, Calif.-based cloud security and compliance solutions provider Qualys, said in a Tuesday blog post that the fix should be installed as soon as possible.
“As usual with IE vulnerabilities, the attack vector would be a malicious web page, either exploited by the attacker or it could be sent to the victim in a spear phishing email,” he said in prepared comments sent to SCMagazine.com. “Patch this immediately as the highest priority on your desktop system and wherever your users browse the web.”
A second critical bulletin, MS13-060, fixed one privately reported flaw in Unicode Scripts Processor, a Windows service used to render Unicode-encoded text. If exploited, the bug could also allow a saboteur to remotely execute code after a user views a malicious document or web page using an application that supports embedded OpenType fonts.
The final critical fix, bulletin MS13-061, rectified three publicly disclosed bugs in Microsoft Exchange Server. The bugs actually lie in the way Exchange files are processed by Oracle Outside In, a set of libraries that software developers use to decode hundreds of file formats. Microsoft has dealt with similar issues in the past.
There are no reports the weaknesses have been exploited in the wild.
Additional patches in the Microsoft update addressed bugs rated “important” that could allow attackers to carry out denial-of-service attacks and gain elevated rights privileges.