The big news this month in Microsoft's Active ProtectionsProgram, other than the eight new bulletins, is the expansion of the MAPPprogram. First Microsoft will be giving select companies like Trustwave a fewextra days of advance notification for the upcoming month of bulletins so thatwe have a little extra time to develop protections for our customers before thebad guys can reverse engineer the patches and come out with exploits. This willfurther increase the time frame between Patch Tuesday and Exploit Wednesday.Second the program will offer a feed of sorts of malicious URLs, file hashes,incident data and relevant detection guidance to response companies, CSIRTs,ISACs, and security vendors. And third Microsoft will be offering company's whoare partners in the program access to a content vulnerability scanner to scanOffice documents, PDF files, Flash movies, and suspect URLs in the 'cloud'.Considering that the MAPP program is almost five years old and has changed verylittle in that time these are welcome expansions to the program.
As for the eight bulletins this month, there are threecritical ones that each includes remote code execution. That includes InternetExplorer, XP and Server 2003 and Exchange Server, which doesn't get much morecritical. The rest are rated Important and consist of two Elevation ofPrivilege, two Denial of Service and one Information Disclosure. All five ofthem impact various parts of Windows itself. Interesting that this month theredoesn't seem to be any Office, SharePoint, or other application level patches.
Start scheduling those reboots, your going to need them thismonth!
Remote Code Execution in Internet Explorer
CVE-2013-3184 CVE-2013-3187CVE-2013-3188 CVE-2013-3189 CVE-2013-3190
CVE-2013-3191 CVE-2013-3193 CVE-2013-3194 CVE-2013-3199
There are eleven CVEsfixed in this update. Most of them are memory corruption issues. At least oneof which could allow remote code execution if a user views a specially craftedwebpage using Internet Explorer and lets face it getting a user to visit a"specially crafted web page" isn't all that difficult these days. This is acritical update if you are using IE on a Windows client and only Moderate if youare running Windows Server. These even impact IE 11 Preview and 8.1 RT Preview.If you are keeping score, CVE-2013-3199 seems to be the worst of the bunch.Microsoft says that exploit code is likely within thirty days which,considering how much attackers love to use IE, I think is probably a safe bet.(Restart #1)
Remote Code Execution in Unicode Scripts Processor
The Unicode Scripts Processor isthe Microsoft Windows set of services for rendering Unicode-encodedtext, especially complex text layout. In this case a remote code executioncould occur if a user viewed a specially crafted document or webpage with anapplication that supports embedded OpenType fonts. This pretty much onlyimpacts Windows XP and Server 2003. It is possible to mitigate thisvulnerability without applying the update by setting a custom level in theSecurity Tab of Internet Options and forcing the system to prompt or disable FontDownloading Security Setting but it is a lot easier to just apply the patch.(Restart #2, maybe)
Remote Code Execution in Microsoft ExchangeServer
While Microsoftcorrectly lists these vulnerabilities as impacting Exchange Server the realissue is in the included Oracle Outside In Libraries and affect the WebReadyDocument Viewing and Data Loss Prevention features of Microsoft ExchangeServer. An attacker can take advantage of these if a user previews a speciallycrafted file using Outlook Web App (OWA). While these vulnerabilities havealready been publicly disclosed they have not yet been seen in the wild andMicrosoft does not expect exploit code to be written for these anytime soon.(Restart unlikely)
Elevation of Privilege in Remote Procedure Call
A Remote Procedure Callis basically a common library that allows a client and server tocommunicate. In this case the way MicrosoftWindows handles asynchronous RPC messages could be used by an attacker andresult in an Elevation of Privilege. Microsoft does expect exploit code to bewritten for this one pretty soon so apply those patches, but be sure you getthe right one, there are different packages depending on what version of Windowsyou are running, just turn on Automatic Updates and let the system figure outwhich one you need. (Restart #3)
Elevation Privilege in Windows Kernel
CVE-2013-2556CVE-2013-3196 CVE-2013-3197 CVE-2013-3198
This vulnerabilityrequires a specially crafted application in order to be exploited which means anattacker must have valid logon credentials and be able to log on locally inorder take advantage of this flaw. The primary issue here is how the Windowskernel validates memory address values to disrupt the integrity of Address Space Layout Randomization.ASLR is used to prevent an attacker from reliably jumping to a particular memoryaddress as in the case of a buffer overflow. The particular section of the Windowskernel impacted here is the NT Virtual DOS Machine (NTVDM) that contains amemory corruption issue fixed by this patch. You could try disabling the NTVDMvia group policy or by editing the registry but it would be a lot easier tojust apply the patch. (Restart #4)
Denial of Service in Windows NAT Driver
As the name suggests theWindows NAT Driver provides network address translation in Windows. A speciallycrafted ICMP packet could cause memory corruption forcing the target system tostop responding until it is restarted. (Restart #5)
Denial of Service in ICMPv6
Considering that theCVEs for MS13-064 and MS13-065 are only one digit off and that they both involveICMP these are probably very closely related vulnerabilities. Thisvulnerability is caused when the TCP/IP stack does not properly allocate memoryfor incoming ICMPv6 packets and like M13-064 a specially crafted ICMP packetcould cause memory corruption forcing the target system to stop respondinguntil it is restarted. (Restart #6)
Information Disclosure in Active DirectoryFederation Services
Active DirectoryFederation Services (AD FS) allows the secure sharing of identity informationbetween trusted business partners (known as a federation under ActiveDirectory) across an extranet. This vulnerability could reveal informationpertaining to the service account used by AD FS. An attacker could then attemptlogons from outside the corporate network, which could result in accountlockout of the service account used by AD FS. This would result in denial ofservice for all applications relying on the AD FS instance and revealinformation pertaining to the service account. (Restart #7)
Phew, that's sevenrestarts! Well, if you do it the right way anyway, and by the right way I meaninstall one patch, restart, test, and then install the next patch. Of coursemost sys admins I know might test them all on a non-production server and theninstall them all at once in production and restart once. Up to you, but if youreally want to live dangerously just skip the testing and go straight toproduction! Live on the edge baby!