Microsoft Patch Tuesday, December 2013

'Tis the season for an increase in cyber-criminal activities. In the past couple months, cyber-criminals built up their arsenals by acquiring zero-day exploits including the zero-day remote code execution in the Microsoft Graphics component vulnerability (Microsoft Security Advisory 2896666) and the privilege escalation vulnerability in the Windows kernel (Microsoft Security Advisory 2914486). Fortunately, a gift from Microsoft included in this month's release is a patch for the Microsoft Graphics component remote code execution vulnerability (aka the TIFF zero-day vulnerability). This is definitely one of those gifts that we all can appreciate and be thankful for. However, there are no signs of a patch for CVE-2013-5065 being available before Christmas or even this year. Hopefully, this one is on the list before the next holiday. Please stay tuned for any further developments.

This month's patch Tuesday will be the stuff of holiday memories with a total of eleven bulletins and ten CVEs which are critical. Make sure your name is included on Santa's "nice" list by applying these December security updates as soon as possible. Many of these vulnerabilities are currently being exploited in the wild and patching is one of the best defenses against becoming a cyber-criminal's next victim. Before Microsoft's sleigh arrives brimming holiday security patches; put on your slippers, grab some cocoa and review this summary of each of the bulletins included in December's release.

MS13-096 (KB2908005)


Remote Code Execution Vulnerability in Microsoft Graphic Component


Does the TIFF zero-day vulnerability ring a bell? Microsoft announced this remote code execution vulnerability in the Microsoft graphics component targeting Windows 2007 Office installations in the wild back on November 5th. This exploit allows an attacker to install malware by persuading an individual to open or preview a malformed TIFF image. Last month, we mentioned the fixit work-around, however, this vulnerability is now mitigated in this month's security update.

MS13-097 (KB2898785)


Multiple Vulnerabilities in Internet Explorer

CVE-2013-5045 CVE-2013-5046 CVE-2013-5047 CVE-2013-5048 CVE-2013-5049
CVE-2013-5051 CVE-2013-5052

Each of Microsoft's monthly security releases this year have included at least one critical Internet Explorer vulnerability. This month is no different in that it includes five critical Internet Explorer vulnerabilities and two important CVEs. These vulnerabilities include the typical memory corruption vulnerabilities as well as vulnerabilities that allow bypassing XSS filters and other security features. These vulnerabilities affect Internet Explorer 6, 7, 8, 9, 10 and 11. For Windows Client platform this bulletin is rated critical , but for Server platforms it is rated as important.

MS13-098 (KB2893294)


Vulnerability in Windows


This bulletin contains a single vulnerability, but it will make you think twice before downloading any software from an unofficial source—even if it is code signed. Code signing is useful for verifying the identity of an application's author and ensuring that the code has not been modified. This vulnerability, however, allows an attacker to modify a signed Windows executable file without the user being notified that the signature has been invalidated. The vulnerability results from the WinVerifyTrust function improperly handling the Windows Authenticode signature verification process.

MS13-099 (KB2909158)


Vulnerability in Microsoft Scripting Runtime Object


This is one of the few vulnerabilities observed during the year that affects all supported versions of the Windows platform. Specifically, this bulletin mitigates a use-after-free vulnerability existing in the Microsoft Scripting Runtime Object library affecting Windows Script 5.6, 5.7 and 5.8. If an attacker successfully persuades a user to visit a malicious website, the attacker could obtain local user privileges and execute code. We can all be thankful that this vulnerability hasn't been exploited in the wild quite yet, but once it is this one could be particularly nasty.

MS13-100 (KB2904244)


Vulnerability in Microsoft SharePoint Server


Sharepoint users may breathe a a sigh of relief, there are no critical vulnerabilities in this bulletin. If you remember last month, there was the MAC Disabled vulnerability (CVE-2013-1330) that allowed for the execution of arbitrary code under the W3WP service account. This privilege escalation vulnerability, however, requires that the attacker already possess SharePoint credentials in order to obtain the W3WP service account permissions. The Microsoft SharePoint Server 2013 (coreserverloc) (2850058) security update will ensure this vulnerability is mitigated.

MS13-101 (KB2880430)


Vulnerabilities in Windows Kernel-Mode Drivers

CVE-2013-3899 CVE-2013-3902 CVE-2013-3903 CVE-2013-3907 CVE-2013-5058

Most of these CVEs address memory usage issues in the Win32k.sys kernel mode driver. Both the win32k Integer Overflow Vulnerability and wik32k use-after-free vulnerability appear to be the most severe of the five CVEs. These vulnerabilities allow an attacker to escalate a user's privilege and/or cause denial-of-service conditions.

MS13-102 (KB2898715)


Vulnerability in Windows Local Call Procedure Call


This bulletin patches a buffer-overflow vulnerability in the Windows Local Procedure Call that an attacker can use to escalate privileges. Because this vulnerability only affects LPC; only legacy Microsoft operating systems such as Windows XP and Windows Server 2003 are effected. LPC was rewritten as Advanced Local Procedure Call (ALPC) starting with the Windows Vista release. As a reminder, those folks who running Windows XP will need to upgrade soon as Microsoft will stop supporting XP in April 2014.

MS13-103 (KB2905244)


Vulnerability in SignalR


This bulletin covers a reflective cross-site scripting vulnerability in the SignalR library. The SignalR library provides an API for creating asynchronous scalable ASP.NET applications with real-time persistent connections. More information about this library is available at

This particular reflective cross-site scripting vulnerability is caused by a un-sanitized user input that allows an attacker to inject malicious client-side JavaScript. The application is vulnerable if the server hosting the web application is using the SignalR chat functionality. Regardless, this patch still needs to be applied.

MS13-104 (KB2909976)


Vulnerability in Microsoft Office


This bulleting addresses a mere information-disclosure vulnerability, but it's still a big deal. By exploiting this vulnerability, an attacker could simply send a spear-fishing email to a user and steal their RPStokens for access to a SharePoint or other Microsoft Office server site. This vulnerability has not been detected in the wild yet, but due to its simplicity, attackers may elect to take advantage of it soon. This bulletin is rated important for Microsoft Office 2013 (both 32-bit and 64-bit editions) and Microsoft 2013 RT since the attack's success requires the social engineering component.

MS13-105 (KB2880833)


Vulnerabilities in Microsoft Exchange Server

CVE-2013-1330 CVE-2013-5763 CVE-2013-5791 CVE-2013-5072

This bulletin fixes three critical vulnerabilities. One of the vulnerabilities is the MAC Disabled Vulnerability that allows for remote code-execution. Wait, doesn't this seem like déjà vu? Last month the exact same vulnerability in SharePoint was addressed, however, it ha been found to affect other Microsoft products as well.

These critical vulnerabilities are based on Exchange leveraging the Oracle Outside In Technologies component used for document viewing. While Oracle addressed the vulnerability in October 2013 Cumulative Patch Update (CPU), Microsoft patches Exchange this month.

MS13-106 (KB2905238)


Vulnerability in Microsoft Office Shared Component


This bulletin mitigates a vulnerability that allows an attacker to bypass the Address Space Layout Randomization (ASLR) security feature. ASLR provides the core function of randomizing the location of a given process in memory to prevent the reliable exploitation of a program function in memory. However, ASLR can become ineffective when a software package or component doesn't support this security feature.

For this bulletin, there is a component in Microsoft Office 2007/2010 that was not originally implemented with ASLR resulting in this bypass vulnerability. Remember that a security bypass vulnerability is only useful when it's exploited in conjunction with another vulnerability such as a buffer overflow. Currently, this is one of the few vulnerabilities in the release that has been exploited in the wild.

Before we go, our holiday tidings this year include a recommendation: please enable automatic updates for Microsoft.

Please note that this security update doesn't cover the elevation-of-privilege vulnerability (CVE-2013-5065) disclosed at the end of November in this Microsoft Security Advisory (2914486). As it currently stands, there is an unpatched privilege vulnerability in the kernel component of Windows XP and Windows 2003 Server platform that allows a local user to execute commands with the privileges of an administrator. Fortunately, Microsoft has provided a workaround of rerouting the NDProxy service to Null.sys to protect against this threat. Additionally, the attacks observed in the wild are exploiting an earlier Adobe Reader vulnerability (CVE-2013-3346) reported in Adobe bulletin (APSB13-15) which is used in conjunction with this privilege escalation vulnerability. Adobe released a fix to mitigate the vulnerability in Adobe Reader back in May. However, Adobe Reader should be upgraded to the latest version.

Happy patching, and have a great holiday! Thank you for staying tuned and we will be back next year to deliver more Microsoft's security update insights.

Trustwave reserves the right to review all comments in the discussion below. Please note that for security and other reasons, we may not approve comments containing links.