Microsoft Security Updates for November 2013

Microsoft released eight (8) bulletins.  Three of the bulletins are identified as Critical with the remaining five bulletins rated Important.

The updates address vulnerabilities in Internet Explorer and Microsoft Windows.  Please refer to the MSRC Blog post, Authenticity and the November 2013 Security Updates, for additional information about the updates, including the update to EMET and a new policy for CA's (Certificate Authorities).

The update in MS13-090 addresses CVE-2013-3918 which affects an Internet Explorer ActiveX Control which was publicly disclosed.

Critical:

• MS13-088 -- Cumulative Security Update for Internet Explorer (2888505) 
• MS13-089 -- Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution (2876331)  
• MS13-090 -- Cumulative Security Update of ActiveX Kill Bits (2900986) 

Important: 

• MS13-091 -- Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2885093)
• MS13-092 -- Vulnerability in Hyper-V Could Allow Elevation of Privilege (2893986) 
• MS13-094 -- Vulnerability in Microsoft Outlook Could Allow Information Disclosure (2894514) 
• MS13-095 -- Vulnerability in Digital Signatures Could Allow Denial of Service (2868626) 

MSRT

Microsoft released an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

Two families targeted by the Malicious Software Removal Tool (MSRT) this month are Win32/Napolar and the bitcoin mining family Win32/Deminnix.

Support

Users of Windows XP are reminded that support ends for Windows XP on April 8, 2014.  See Tim Rains article, The Countdown Begins: Support for Windows XP Ends on April 8, 2014.


The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: Authenticity and the November 2013 Security Updates
• MSRC: ActiveX Control issue being addressed in Update Tuesday
• TechNet: Microsoft Security Bulletin for November 2013
• MMPC:   MSRT November 2013 - Napolar
• SR&D:   Technical details of the targeted attack using IE vulnerability CVE-2013-3918

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...