July's Patch Tuesday fixes Windows privilege system
On its July Patch Tuesday, Microsoft released a total of seven patch packages (bulletins). All except one of them close critical vulnerabilities. The company has closed a total of 34 holes in Windows, Internet Explorer, Office and many other products, among them the Windows kernel vulnerability that has affected the Windows privilege system for over a month.
Google security expert Tavis Ormandy discovered the kernel hole in May and didn't wait too long before disclosing details of it on the net. Shortly afterwards, an exploit followed that opens a Windows prompt at system privilege level – regardless of the user's actual privilege level. The hole, with CVE identification number CVE-2013-3660, affects all versions of Windows. Microsoft didn't warn its customers about the security problem ahead of the patch day despite, according to the company, the hole being exploited for targeted attacks. Talking to The H's associates at heise Security since the disclosure, Microsoft had only said that it was investigating the problem and was working on a solution. Patch bulletin MS13-053 closes further critical security holes, including an issue in the code for processing TrueType fonts, and should be installed as soon as possible.
The .NET framework and Silverlight also struggle with, among other problems, specially crafted TrueType fonts, potentially allowing attackers to inject malicious code. Microsoft said that two of the vulnerabilities the patch bulletin fixes had already been publicly disclosed. The GDI+ graphics library contains a critical font processing issue that allows online criminals to infect systems with malware. The library is part of many Microsoft applications, all of which are affected: all versions of Windows, Office 2003 to 2010, Visual Studio .NET 2003 and Microsoft Lync.
Microsoft also released a collective update for Internet Explorer, a critical update for DirectShow and another for the Windows Media Format runtime. Last but not least, there is a patch for Windows Defender to close a hole that allows attackers to execute code at system privilege level in Windows 7 and Server 2008 R2. To exploit the hole, however, potential attackers must be able to log into a system, and apparently they must also have the right to write to the highest level of the system disk. This is the only update that Microsoft has rated at the second highest threat level.
The company also announced that the developers of apps that are available in the Windows Store, Windows Phone Store, Office Store and Azure Marketplace will, in future, have 180 days to close "critical" and "important" vulnerabilities. A prerequisite for this rather generous period of grace is that there mustn't yet be a public exploit for the hole. Otherwise, Microsoft said, it will withdraw vulnerable apps at short notice if necessary.