Among the patches for Microsoft’s browser is a fix for a newsworthy zero-day threat — and there are still more patches needed.
Plus: A special patch for Windows 8, more .NET fixes, and a clutch of smaller security updates for various MS productivity apps.
MS13-037 (2829530), MS13-038 (2847204)
A one-two punch for Internet Explorer
We expect to get a patch of Microsoft’s browser just about every Patch Tuesday. But this week brings two security updates — both critical. KB 2829530 (MS13-037), the usual cumulative patch, applies to IE Versions 6–10 and fixes 11 privately reported vulnerabilities. It includes fixes for several — but not all — IE bugs revealed at the CanSecWest Pwn2Own contest (more info), as noted on an MS Security Research & Defense blog.
KB 2847204 is, however, the more interesting patch. Security researchers discovered that zero-day attacks were launched via a compromised U.S. Department of Labor website, as reported in a Computerworld story. If a user visited the site using IE 8, malicious code on the government server collected information from the user’s PC and then sent the information to a cyber criminal’s Web server. That server in turn downloaded code to the user’s system, ultimately allowing the cyber criminal to take ownership of the PC. An AlienVault Labs blog gives a blow-by-blow account of how it works.
KB2847204 impacts only Internet Explorer 8 and 9. MS gives no severity rating for IE 9, but the patch is critical for workstation versions of IE 8.
What to do: Install both KB 2847140 (MS13-037) and KB 2847204 (MS13-038) as soon as possible. Note: You’ll have compatibility problems if you install MS13-038 but don’t install MS13-037. Also, if you installed the previously released fixit for the DoL exploit, you don’t need to remove it.
An HTTP of Death for Windows 8 systems
Impacting only Windows 8, Windows RT, and Server 2012, KB 2829254 (MS13-039) fixes a vulnerability in how HTTP headers are handled in the HTTP stack; an exploit of HTTP.sys could allow a denial-of-service attack. Rated important, this fix is needed mostly on Web servers. However, Windows 8 workstations and Windows RT devices could be vulnerable, too.