Top of the patch list must be Microsoft's fix for the 'TIFF zero-day vulnerability' (MS13-096) that was discovered being exploited early November. The exploit, warns Trustwave's director of security research Ziv Mador, "allows an attacker to install malware by persuading an individual to open or preview a malformed TIFF image."
It is, agrees Wolfgang Kandek, CTO at Qualys, 'our top priority.' "This vulnerability is currently under targeted attacks in the Middle East and Asia, and the exploits typically arrive in an Office document."
A second exploited zero-day vulnerability discovered last month "does not get addressed in this patch cycle, as it was discovered too late to make it into this release," adds Kandek. This one is less severe than the TIFF vulnerability since it depends on a second vulnerability for delivery. Both this and the TIFF vulnerability only affect older versions of Windows, including XP; and Kandek and other security experts comment that the best way to patch XP (which will no longer be supported by Microsoft within a few short months) is to upgrade to a newer version of the operating system.
The next priority should be the monthly Internet Explorer update. "Get the shared and exposed resources patched first," suggests Ross Barrett, senior manager of security engineering at Rapid7, adding bulletins MS13-097 (IE, all versions) and MS13-099 (Scripting Runtime) to the TIFF update.
The IE update, explains Mador, "includes five critical Internet Explorer vulnerabilities and two important CVEs. These vulnerabilities include the typical memory corruption vulnerabilities as well as vulnerabilities that allow bypassing XSS filters and other security features." Although not yet exploited, Kandek notes that "the bulletin comes with a low Exploitability rating of 1, indicating that an exploit for the vulnerabilities would not be hard to craft. The exploit would be delivered through a malicious webpage."
The third of Barrett's priorities is bulletin MS13-099. "This is an interesting vulnerability," he suggests, "because it’s exploitable by VBA script and is not mitigated by EMET counter measures... This issue is not yet publicly under exploit," he adds, "but could be an early candidate to make the jump."
Tyler Reguly, security research and development manager at Tripwire, adds a fourth bulletin to his urgent list, even though Microsoft classifies it only as 'important' rather than 'critical.' MS13-106 is an update to hxds.dll. It "is not a code execution issue," he explains, "it’s an ASLR bypass that has been used frequently in other exploits. It’ll be nice to see this ASLR bypass removed from the exploit development toolkit."
Mador explains the relevance and importance of the update. "ASLR provides the core function of randomizing the location of a given process in memory to prevent the reliable exploitation of a program function in memory. However, ASLR can become ineffective when a software package or component doesn’t support this security feature. For this bulletin, there is a component in Microsoft Office 2007/2010 that was not originally implemented with ASLR resulting in this bypass vulnerability... Currently," he adds, "this is one of the few vulnerabilities in the release that has been exploited in the wild."
Two other bulletins are marked 'critical'. MS13-098 handles a single vulnerability in Windows, but one, says Mador, that will "make you think twice before downloading any software from an unofficial source—even if it is code signed... This vulnerability, however, allows an attacker to modify a signed Windows executable file without the user being notified that the signature has been invalidated."
MS13-105 fixes three critical vulnerabilities in Exchange Server. They relate to the Oracle Outside In Technologies component used for document viewing, fixed by Oracle in October, but now also fixed within Exchange Server by Microsoft.
The remaining bulletins are marked important; but patching them remains important. Patching, stresses Mador, "is one of the best defenses against becoming a cyber-criminal's next victim."