Security experts at Tripwire have the following comments about Tuesday´s giant Microsoft patch:
Tyler Reguly, security research and development manager:
“Today’s list of bulletins contains two patches that top my list, yet Microsoft considers one of them to be ‘important’ rather than ‘critical’. First is MS13-096, which fixes the zero-day vulnerability affecting TIFF file formats and second is MS13-106, an update to hxds.dll. The second issue is not a code execution issue, it’s an ASLR bypass that has been used frequently in other exploits. It’ll be nice to see this ASLR bypass removed from the exploit development toolkit.
Seeing details on the bulletins, this month really is best compared to a lump of coal — it’s an awful mix for sys admins to deal with. 106 bulletins in a year is either a sign that more people are targeting Microsoft or that their software is becoming more insecure. I’d hope that over time we’d see bulletin numbers decrease, not increase.
MS13-098, the Authenticode issue, is the most interesting item this month. The ability to modify an installer to pull down malicious files is interesting. The proper signing of trusted packages is important and the possibility of blocking installers that aren’t properly signed via a registry change is a great advancement.”
Craig Young, security researcher:
“The top priorities this month for most users are the critically rated GDI+ fix in MS13-096 and the IE fixes in MS13-097, but further down the list there’s a small change in MS13-106 that enables ASLR for the hxds.dll system library. This fix will go a long way toward protecting customers from future zero-day attacks.
ASLR, an acronym for Address Space Layout Randomization, is a critical technology for mitigating code execution vulnerabilities. In short, this technology increases the difficulty of writing reliable exploits by making it more difficult for attackers to predict where certain machine instructions will exist in the system’s memory space. This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the ‘ms-help:’ protocol handler. Until today the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).
Microsoft rated MS13-106 as ‘important’ rather than ‘critical’ because it does not directly address a vulnerability. From my point of view, there are malicious operators that already have knowledge of unpatched IE code execution bugs and new ones will continue to be discovered based on the steady stream of use-after-free bugs being reported. I strongly suggest that users patch all affected systems as soon as possible to mitigate future exploits targeting hxds.dll for ASLR bypass.”