The latest cycle of Microsoft security updates will keep admins busy applying fixes to a variety of critical and important vulnerabilities.
There are eight bulletins for November's Patch Tuesday security updates. Three of the bulletins are critical while the other five are important. All of the critical bulletins include security updates for remote code execution vulnerabilities.
One critical update is for Internet Explorer, with fixes for 10 reported vulnerabilities that could let attackers gain the same rights as the people viewing a malicious webpage with IE. The updates affect all versions of IE 6 through 11.
Another critical update, MS13-090 fixes a zero-day bug for an ActiveX vulnerability in the InformationCardSigninHelper Class ActiveX control. This vulnerability could be exploited if someone views a malicious webpage in IE and initiates the ActiveX control.
Instead of patching the vulnerability, Microsoft disabled the feature through kill bits for the control, said Wolfgang Kandek, CTO of Qualys Inc., a Redwood Shores, Calif.-based IT security firm.
Considering the vulnerability was published last week, Microsoft could not develop and test a fix for the feature, which had stagnated as part of a now-unused single sign-on effort. Microsoft sent a configuration patch instead of wasting resources performing tests on it, Kandek said.
The update is rated critical for all versions of Windows, but moderate for all versions of Windows Server 2003 and higher.
The last critical update is for the Windows Graphics Device Interface, which has a vulnerability that could let attackers gain the same rights as the people that look at a malicious Windows Write file in WordPad. This vulnerability affects multiple versions of Windows Server.
Another zero day flaw in the wild did not make it into this round of updates. An issue with the TIFF file format could be exploited. Fortunately, Kandek said, the TIFF format is rarely used and can be disabled by going into the registry or downloading an MSI workaround Microsoft has provided.
Hyper-V vulnerability dubbed 'coolest'
MS13-092 includes a security update for an elevation of privilege vulnerability in Windows 8 and Windows Server 2012 Hyper-V. Microsoft says the vulnerability could be exploited if attackers pass an infected function parameter in a hypercall from a running VM to the hypervisor. This vulnerability could also result in denial of service for the Hyper-V host.
Plus, it gets a dubious honor.
"It's probably the coolest vulnerability" from this month, said Kandek. This is because not only could it cause a denial of service for the host operating system as advertised, but Microsoft is also investigating whether or not a guest OS can infect other guest operating systems as well as the host.
While Kandek doesn't advise shifting away from virtualization, "you have to be aware that it is an additional layer of software," he said.
November's other important security updates include fixes for information disclosure, elevation of privilege and denial of service vulnerabilities.
Other important security updates address vulnerabilities in Microsoft Outlook, Microsoft Office, digital signatures, Windows Ancillary Function Driver. The complete list of security updates for November's Patch Tuesday cycle can be found here.
The latest batch of bulletins brings the yearly bulletin total up to 95, a significant increase from 73 at the same point last year.