Last updated at Mon, 24 Jul 2017 19:39:04 GMT

It's another busy month of patching for Microsoft administrators with a number of high priority fixes getting out.  On the plus side, none of the issues patched this month are known to be actively being exploited "in the wild".

The highest risk vulnerabilities, and thus the most important to patch are MS13-009, MS13-010, MS13-011, & MS13-020. 

MS13-009 is a cumulative patch addressing 12 CVEs for Internet Explorer.  MS13-010 was indicated as an Internet Explorer patch in the advance notification, but is actually a patch for the VML parser, of which Internet Explorer is just one possible exploit vector.  The VML issue is particularly dangerous because there is no way to turn off VML parsing in the browser or elsewhere, unlike ActiveX controls, Flash, or hey, even Java  - sort of. Similarly, MS13-011 is a vulnerability in a media decompression library which is exploitable through Internet Explorer, but also could be hit via video embedded in a document or email.  All of these issues were privately reported to Microsoft, but now that they are patched the malware writers will be racing to reverse the fixes.

MS13-020 applies only to Windows XP and would primarily be a risk to organizations and individuals who routinely use and open RTF documents via email or the web.  However, this exploit vector has numerous workarounds, including disabling ActiveX controls from running in office, file blocking policies, etc.

MS13-012 and MS13-013 are both fixes to components that Microsoft has licensed from Oracle for handling of non-Microsoft file formats.  Technically these are "known" issues because they have been patched upstream by Oracle.  For MS13-013 the patch will not be offered if the FAST Advanced Filter Pack option is not enabled, in fact, users may have to seek out the patch manually, but there is a risk that system will become vulnerable if AFP is enabled at a later time.

MS13-014 is interesting because an NFS file share, even if mounted as read only, could cause the mounting Windows server to crash due to a malicious file name.

MS13-015 another .NET patch, this time fixing an Elevation of Privilege related to XPath/XAML parsing. The mitigation is to disable in Internet Explorer and this once again affects all versions of .NET, which means there is a broad spread of affected systems.

MS13-016 contains a whopping 30 CVEs in a Kernel Mode Driver. Technically this is the same issue popping up in 30 places and exploiting any one of them would give Elevation of Privilege.  In this case, I give Microsoft credit for being up front about this issue, they probably could have gotten away with allocating 1 CVE to this if they were trying to downplay their numbers.

MS13-017 is an issue in win32k.sys giving local Elevation of Privilege and affecting all versions of Windows.

MS13-018 – is an old school TCP/IP DoS affecting Win7 and Server 2008.  Technically this is a FIN State (WAIT) vulnerability, where a malicious authenticated connection could cause resource exhaustion on the target, but it requires the attacker to maintain the attack in order to keep the system down.

MS13-019  is an issue in the Client Server Runtime Subsystem.  It is scored higher in the exploitability index because the issue was reported with a public Proof of Concept as a Denial of Service, but in investigation Microsoft found that it could be exploited for privilege elevation.

As with every recent month, we have one (or more) IE patches, a .NET patch, a kernel driver patch, and patches for common libraries.  Let's call this steady progress, but we do seem to be getting into a rut here. Maybe that's a good thing.