CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, August 2013

The big news this month in Microsoft's Active Protections Program, other than the eight new bulletins, is the expansion of the MAPP program. First Microsoft will be giving select companies like Trustwave a few extra days of advance notification for the upcoming month of bulletins so that we have a little extra time to develop protections for our customers before the bad guys can reverse engineer the patches and come out with exploits. This will further increase the time frame between Patch Tuesday and Exploit Wednesday. Second the program will offer a feed of sorts of malicious URLs, file hashes, incident data and relevant detection guidance to response companies, CSIRTs, ISACs, and security vendors. And third Microsoft will be offering company's who are partners in the program access to a content vulnerability scanner to scan Office documents, PDF files, Flash movies, and suspect URLs in the 'cloud'. Considering that the MAPP program is almost five years old and has changed very little in that time these are welcome expansions to the program.

As for the eight bulletins this month, there are three critical ones that each includes remote code execution. That includes Internet Explorer, XP and Server 2003 and Exchange Server, which doesn't get much more critical. The rest are rated Important and consist of two Elevation of Privilege, two Denial of Service and one Information Disclosure. All five of them impact various parts of Windows itself. Interesting that this month there doesn't seem to be any Office, SharePoint, or other application level patches.

Start scheduling those reboots, your going to need them this month!


MS13-059 (KB2862772)


Remote Code Execution in Internet Explorer

CVE-2013-3184 CVE-2013-3187CVE-2013-3188 CVE-2013-3189 CVE-2013-3190
CVE-2013-3191 CVE-2013-3193 CVE-2013-3194 CVE-2013-3199

There are eleven CVEs fixed in this update. Most of them are memory corruption issues. At least one of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer and lets face it getting a user to visit a "specially crafted web page" isn't all that difficult these days. This is acritical update if you are using IE on a Windows client and only Moderate if you are running Windows Server. These even impact IE 11 Preview and 8.1 RT Preview. If you are keeping score, CVE-2013-3199 seems to be the worst of the bunch. Microsoft says that exploit code is likely within thirty days which, considering how much attackers love to use IE, I think is probably a safe bet.(Restart #1)


MS13-060 (KB2850869)


Remote Code Execution in Unicode Scripts Processor


The Unicode Scripts Processor is the Microsoft Windows set of services for rendering Unicode-encoded text, especially complex text layout. In this case a remote code execution could occur if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. This pretty much only impacts Windows XP and Server 2003. It is possible to mitigate this vulnerability without applying the update by setting a custom level in the Security Tab of Internet Options and forcing the system to prompt or disable Font Downloading Security Setting but it is a lot easier to just apply the patch.(Restart #2, maybe)


MS13-061 (KB2876063)


Remote Code Execution in Microsoft Exchange Server

CVE-2013-3781CVE-2013-3776 CVE-2013-2393

While Microsoft correctly lists these vulnerabilities as impacting Exchange Server the real issue is in the included Oracle Outside In Libraries and affect the Web Ready Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. An attacker can take advantage of these if a user previews a specially crafted file using Outlook Web App (OWA). While these vulnerabilities have already been publicly disclosed they have not yet been seen in the wild and Microsoft does not expect exploit code to be written for these anytime soon.(Restart unlikely)


MS13-062 (KB2849470)


Elevation of Privilege in Remote Procedure Call


A Remote Procedure Call is basically a common library that allows a client and server to communicate. In this case the way Microsoft Windows handles asynchronous RPC messages could be used by an attacker and result in an Elevation of Privilege. Microsoft does expect exploit code to be written for this one pretty soon so apply those patches, but be sure you get the right one, there are different packages depending on what version of Windows you are running, just turn on Automatic Updates and let the system figure out which one you need. (Restart #3)


MS13-063 (KB2859537)


Elevation Privilege in Windows Kernel

CVE-2013-2556CVE-2013-3196 CVE-2013-3197 CVE-2013-3198

This vulnerability requires a specially crafted application in order to be exploited which means an attacker must have valid logon credentials and be able to log on locally in order take advantage of this flaw. The primary issue here is how the Windows kernel validates memory address values to disrupt the integrity of Address Space Layout Randomization. ASLR is used to prevent an attacker from reliably jumping to a particular memory address as in the case of a buffer overflow. The particular section of the Windows kernel impacted here is the NT Virtual DOS Machine (NTVDM) that contains a memory corruption issue fixed by this patch. You could try disabling the NTVDM via group policy or by editing the registry but it would be a lot easier to just apply the patch. (Restart #4)


MS13-064 (KB2849568)


Denial of Service in Windows NAT Driver


As the name suggests the Windows NAT Driver provides network address translation in Windows. A specially crafted ICMP packet could cause memory corruption forcing the target system to stop responding until it is restarted. (Restart #5)


MS13-065 (KB2868623)


Denial of Service in ICMPv6


Considering that the CVEs for MS13-064 and MS13-065 are only one digit off and that they both involve ICMP these are probably very closely related vulnerabilities. This vulnerability is caused when the TCP/IP stack does not properly allocate memory for incoming ICMPv6 packets and like M13-064 a specially crafted ICMP packet could cause memory corruption forcing the target system to stop responding until it is restarted. (Restart #6)


MS13-066 (KB2873872)


Information Disclosure in Active Directory Federation Services


Active Directory Federation Services (AD FS) allows the secure sharing of identity information between trusted business partners (known as a federation under Active Directory) across an extranet. This vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which could result in account lockout of the service account used by AD FS. This would result in denial of service for all applications relying on the AD FS instance and reveal information pertaining to the service account. (Restart #7)


Phew, that's seven restarts! Well, if you do it the right way anyway, and by the right way I mean install one patch, restart, test, and then install the next patch. Of course most sys admins I know might test them all on a non-production server and then install them all at once in production and restart once. Up to you, but if you really want to live dangerously just skip the testing and go straight to production! Live on the edge baby!


Latest SpiderLabs Blogs

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More


We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More

Phishing Deception - Suspended Domains Reveal Malicious Payload for Latin American Region

Recently, we observed a phishing campaign targeting the Latin American region. The phishing email contained a ZIP file attachment that when extracted reveals an HTML file that leads to a malicious...

Read More