This week, Microsoft (News - Alert) issued patches and critical updates to address 23 Internet Explorer and Exchange bugs. While you should always install updates and patches as quickly as possible, Microsoft has recommended prioritizing MS13-059 and MS13-060.
The first is a cumulative security update for Internet Explorer that prevents remote code execution when a person views a malware-ridden webpage using Internet Explorer. The vulnerability doesn't allow direct execution, but it can be exploited along with other vulnerabilities to gain user rights for remote code execution.
The second is a Windows vulnerability that could allow an attacker to execute remote code from the Windows Unicode Scripts Processor (News - Alert). Because Windows fonts are drawn at the kernel level, an attacker could influence the drawing of fonts and overflow it, directing the user to e-mails, documents or Web pages containing malware.
Microsoft addresses the critical Exchange vulnerability in MS13-061. Of a total of three vulnerabilities, two are found in Exchange's WebReady Document Viewing. The other is in Exchange's Data Loss Protection feature.
Wolfgang Kandek, CTO of Qualsys, told SecurityWatch that Oracle (News - Alert) discovered and disclosed the three Exchange vulnerabilities. The WebReady Document Viewing feature has been patched three times already within the past year. Kandek provides an analysis of the August security update in the following video:
"Oracle continues to give Microsoft and Exchange a consistent black eye," Kandek noted. "It has been very easy to find vulnerabilities in this software component."
For this reason, Kandek recommends that users consider both downloading the patches and shutting off WebReady Document Viewing. Although users will have to download e-mail attachments to view documents, they may prefer a slight inconvenience to the vulnerability-ridden WebReady feature.
In addition to these main patches, Microsoft has addressed vulnerabilities regarding information disclosure, elevation of privilege and denial of service. The company also released a patch for an IPv6 vulnerability.
To view Microsoft's August security bulletin with information on each of its updates and patches, click here.
Edited by Alisen Downey