Microsoft Patch Tuesday Toughens IE Browser

“The third vulnerability, CVE-2013-3781, exists in Exchange Server 2013 through the Data Loss Protection (DLP) feature,” Microsoft’s bulletin states. “This vulnerability could cause the affected Exchange Server to become unresponsive if a user views a specially crafted file through Outlook Web Access in a browser.”

RPC

Although only rated by Microsoft as being “Important,” Ross Barrett security researcher at Rapid7, sees the MS13-062 bulletin as perhaps the most genuinely interesting vulnerability this month. That bulletin is an elevation of privilege issue in Microsoft Remote Procedure Call (RPC).

“Microsoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong,” Barrett said.

Wolfgang Kandek, CTO of security firm Qualys, commented that he sees the MS13-065 bulletin that details an IPv6 denial-of-service issue as being noteworthy. In Kandek’s view, the IPv6 flaw gives us a glimpse of this new attack surface. The vast majority of all Internet traffic today is carried over IPv4, which has a 32-bit addressing scheme that is running out of usable space. In contrast, the next-generation IPv6 addressing system has a 128-bit space.

“I don’t think researchers have focused on that [IPv6] area yet, so there will be more vulnerabilities to come,” Kandek said. “At the same time, IPv6 tends to be just on by default and I believe many organisations are not actively managing it.”

Are you a security expert? Try our quiz!

Originally published on eWeek.