Microsoft Security Update: 10 Bulletins Addressing 33 Vulnerabilities, Including Internet Explorer Zero-Day

By Nofar Gueta | May 15, 2013

Microsoft had released (May 14^th) ten security bulletins (MS13-037 – MS13-046), addressing 33 vulnerabilities. Two of the bulletins are considered critical, and the rest are important. One of these critical updates is MS13-038, a security update for Internet Explorer 8, patching the highly publicized Zero-Day vulnerability (CVE-2013-1347).  The second critical update (MS13-037) is also an update for Internet Explorer, patching eleven vulnerabilities.

The rest of the vulnerabilities address issues in the Windows operating system, in various office applications and in the .NET framework:

• MS13-039 – Security update for a remote denial-of-service caused by triggering an infinite loop in HTTP.sys driver on Windows 8 and Server 2012 (older versions are not vulnerable).
• MS13-040 – Security update for .NET Framework patching an XML digital signature validation vulnerability and a WCF endpoint authentication bypass vulnerability.
• MS13-041 – Security update for Lync patching a remote code execution vulnerability
• MS13-042 – Security update for Publisher patching 11 various code execution vulnerabilities.
• MS13-043 – Security update for Word patching a code execution vulnerability.
• MS13-044 – Security update for Visio patching an information disclosure vulnerability.
• MS13-045 – Security update for Windows Essentials (specifically Windows Writer) patching an information disclosure vulnerability.
• MS13-046 – Security update for Windows Kernel (win32k.sys and dxgkrnl.sys) patching three elevations of privileges vulnerabilities.

Cyvera TRAPS was developed to prevent exploitation of software vulnerabilities such as the aforementioned ones, without having any prior knowledge on the exploits, since its prevention ability is not based on known signatures or behaviors (unlike traditional solutions).