Microsoft Patches TrueType Font and IE Flaws
Microsoft's July Patch Tuesday yields a long list of fixes, including a patch for an IE zero-day flaw first disclosed in June.
Microsoft's July Patch Tuesday update provides seven advisories, six of which are rated critical, to address at least 34 vulnerabilities across its software portfolio. Once again, Microsoft's IE browser is strongly represented in the list of fixed flaws. The MS13-055 advisory fixes no less than 17 flaws in Microsoft's Web browser.
"Internet Explorer vulnerabilities this month made up exactly half of the CVEs addressed in the July bulletin," said Craig Young, Tripwire security researcher. "This is particularly alarming because 16 of the 17 issues addressed are memory corruption vulnerabilities -- many of which Microsoft expects could be reliably exploited in the next 30 days."
The 17 flaws fixed in the July patch update follow 19 flaws that Microsoft patched in June. Among the flaws in the MS13-055 advisory, Microsoft credits discoveries from HP's Zero Day Initiative (ZDI), as well as Ivan Fratric and Ben Hawkes of the Google Security Team.
The MS13-055 advisory does not address a zero-day flaw first disclosed by Google researcher Tavis Ormandy in June. That flaw is fixed by the MS13-053 advisory that addresses vulnerabilities in Windows Kernel-Mode Drivers. MS13-053 provides fixes for eight vulnerabilities in total, including CVE-2013-3660, which is the Ormandy flaw.
TrueType Font Flaw
MS13-053 is also notable as it is one of multiple advisories this month to include a TrueType font flaw. Tommy Chin, technical support engineer, CORE Security, noted that every Windows system has TrueType font files. Attackers can use a social engineering attack on potential victims to try to get them to view a crafted file with malicious TrueType content.
"Successful attacks can give the attacker not only access to the affected system, but since it’s in kernel mode, it’s administrator access, remote code execution and privilege escalation all in one," Chin said. "The scenario I can see with these types of open doors is the potential leakage and contamination of intellectual software property."
Digging deeper into the TrueType flaw, Microsoft identifies it as CVE 2013-3129 and actually fixes it across multiple advisories. Ross Barrett, senior manager of security engineering at Rapid7, noted that, for the first time ever Microsoft is addressing a single CVE (CVE-2013-3129) in three different advisories (MS13-052, MS13-053 and MS13-054). MS13-052 details vulnerabilities in the .NET Framework and Silverlight that could allow remote code execution (2861561), while MS13-054 fixes vulnerabilities in GDI+ that could allow remote code execution.
"This issue relates to TrueType Font processing and legitimately affects different components," Barrett said. "By splitting this out, Microsoft is directly addressing a complaint about previous rolled up advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem and component patches were frequently missed."
App Store Policy
In addition to its advisories, Microsoft also announced a new policy for applications in its Windows Store, Windows Phone Store, Office Store and Azure Marketplace.
"Starting today, developers will be required to submit an updated app within 180 days of being notified of a Critical or Important severity security issue," Dustin Childs, group manager, Microsoft Trustworthy Computing, wrote in a blog post. "This assumes the app is not currently being exploited in the wild. In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier."
Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJour