Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, February 2013 – Happy Chinese New Year!

Submitted by Space Rogue

Happy Chinese New Year! Welcome to the year of the snake, or the black water snake to be technical.

I know what you're thinking, in between slurping on your long noodles and noshing on your tangerines, you're thinking that twelve security bulletins from Microsoft for the month of February isn't that bad even if it is the short month. Twelve isn't great but it is a manageable number. While twelve bulletins sounds like an easy number keep in mind that those twelve bulletins cover a whopping fifty-seven separate CVEs. Having to fill the gaps of fifty-seven CVEs might be almost as bad having to battle the mythical Nian beast before it gobbles up your children. So put on your best red shirt and maybe these fifty-seven CVE scan be scared into submission.

Lets get this Chinese New Years Party started!

MS13-009 (KB2792100)


Remote Code Execution in Internet Explorer

CVE-2013-0015CVE-2013-0018 CVE-2013-0019 CVE-2013-0020 CVE-2013-0021CVE-2013-0022 CVE-2013-0023 CVE-2013-0024 CVE-2013-0025 CVE-2013-0026CVE-2013-0027 CVE-2013-0028 CVE-2013-0029

In Chinese mythology therat is considered an intelligent problem-solving animal. Although if faced with thirteen CVEs in one bulletin I'm not so sure a solution would come all that easy. The most severe of these CVEs could allow remote code execution in all versions of Internet Explorer from 6 through 10. If for some reason you missed the out of band update MS13-008 that was issued a few weeks ago this update includes patches for the same vulnerability. The thirteen CVEs cover a myriad of issues mostly involving use after free vulnerabilities, which is a fancy way of describing how IE access an item in memory after it has been deleted. An attacker could use these vulnerabilities by creating a special web page and then getting people to visit that page either through an emailed link or compromised web site. Thankfully you don't need the problem solving abilities of a rat to protect yourself from these issues, just install the patch.

MS13-010 (KB2797052)


Remote Code Execution in Internet Explorer


The Ox is often considered obstinate and resistant to change; perhaps Microsoft is taking some cues from the Ox by not removing Vector Markup Language from Internet Explorer. VML has been deprecated for some time in favor of SVG and while Microsoft claims it has been removed from IE 10 this vulnerability in VML still impacts IE10. The issue actually impacts all versions of Internet Explorer, and can be exploited with a specially crafted web page. Vector Markup Language is an XML-based file format for two-dimensional vector graphics.

MS13-011 (KB2780091)


Remote Code Execution in DirectShow


The Tiger is considered to be the lucky animal; which is probably what an attacker would feel like if they were to successfully exploit this vulnerability. Instead of a specially crafted web page this vulnerability requires a specially crafted media file such asan.mpg. The media file could be embedded into a MS Office document such as a Power Point presentation or served up as streaming content on a web page or sent as an attachment in email (which the user would have to open). This issue is present in Windows XP, Server 2003, Vista, and Server 2008. The problem is in how DirectShow, Microsoft's API for streaming content, handles the media file. While Microsoft has not yet seen this vulnerability in the wild they do expect exploit code to be released within the next thirty days, so unless you feel as lucky as a tiger you should install the patch.

MS13-012 (KB2809279)


Remote Code Execution in MS Exchange Server


The fourth sign of the Chinese Zodiac, the rabbit, is considered to be really good at communication; which matches up perfectly with the fourth bulletin this month. MS Exchange Server has an issue with the WebReady Document Viewing component. The Web Ready Document Viewing component allows Outlook Web Access users to view attachments within the browser. This isn't the first problem we have seen an issue in Web Ready Document Viewing, MS12-058also allowed RCE. Like MS12-058 and several other vulnerabilities in recent months the actual code resides in the Oracle Outside In Libraries. This update also includes some non-security updates such as Update Rollup 10 for Exchange Server 2007 (KB2788321) and Update Rollup 6 for ExchangeServer2010 SP2 (KB2746164).Exploiting this vulnerability would only give you access the Local Service account which has minimum privileges but if you were able to combine this with some other elevation of privilege vulnerability, well then, as the rabbit might say, you might just have something.

MS13-013 (KB2784242)


Remote Code Execution in SharePoint Server


In Eastern philosophy, the Dragon is said to be a deliverer of good fortune and a master of authority; which I suppose is how some people feel about their SharePoint servers. However, if they fail to apply this patch they may also be delivering remote code execution. There should not be very many people impacted by this issue, it is present in the FAST Search Server 2010 for SharePoint but only when the Advanced Filter Pack is enabled, however AFP is disabled by default. Advanced Filter Pack is a feature that enables text and metadata extraction from several hundred file formats. This bulletin is closely related to MS13-012 as it updates the Oracle Outside In libraries as well.

MS13-014 (KB2790978)


Denial of Service in NFS Server


NFS or Network File System is a distributed File Systems that basically allows users on a network to share files. Its pretty much been around forever, first developed by Sun backing 1984, and like the Snake it is rather refined and collected when compared to other remote file access protocols. An attacker who exploited this vulnerability could cause the affected system to stop responding and re-start. The vulnerability only affects Windows servers with the NFS role enabled and occurs when the server fails to properly handle a file operation on a read-only share.

MS13-015 (KB2800277)


Elevation of Privilege in .NET Framework


The horse is said to be the life of the party, whish we could say the same for .NET, at least for any parties I have attended. Although personally I can't imagine any party that centers around .NET, well, unless it's a vulnerability patching party!(Sorry.)In this case a user would have to visit that almost mythical by now especially crafted web page with a browser that can run XAML Browser Applications or XBAPs. This bulletin applies to just about every version of .NET from 2.0 SP2 upto4.5. The issue involves the way .NET Framework elevates the permissions of a call back function when a particular Windows Forms object is created which could result in an elevation of privilege for the attacker. By default IE 9 and10prevent XAML from running in the Internet Zone and IE 6, 7, and 8 will prompt the user before running XAML in the Internet Zone. But if you really want to be the life of the party you will install this patch.

MS13-016 (KB2778344)


Elevation of privilege in Kernel-Mode Drivers

CVE-2013-1248 CVE-2013-1249CVE-2013-1250 CVE-2013-1264 CVE-2013-1251 CVE-2013-1265CVE-2013-1252 CVE-2013-1266 CVE-2013-1253 CVE-2013-1267CVE-2013-1254 CVE-2013-1268 CVE-2013-1255 CVE-2013-1269CVE-2013-1256 CVE-2013-1270 CVE-2013-1257 CVE-2013-1271CVE-2013-1258 CVE-2013-1272 CVE-2013-1259 CVE-2013-1273CVE-2013-1260 CVE-2013-1274 CVE-2013-1261 CVE-2013-1275CVE-2013-1262 CVE-2013-1276 CVE-2013-1263 CVE-2013-1277

Whoa, thirty CVEs! That's not very sheepish at all. No way this bulletin is going away quietly or calmly, not with thirty CVEs in it. The issue has to do with how the kernel handles objects in memory. To exploit any of these issues attackers need a specially crafted application and already have a way to login to a system. This issue does not impact Windows 8, Server 2012 or RT because the known attack vectors are blocked in those OSs, however you should still install these patches, it won't hurt anything and provides good security in depth.

MS13-017 (KB2799494)


Elevation of Privilege in Kernel

CVE-2013-1278CVE-2013-1279 CVE-2013-1280

If I had a million dollars I'd buy you a monkey, haven't you always wanted a monkey? No?Haven't you always wanted a vulnerability in the windows kernel? No? Well, sorry, you have not just one, but three. This issue doesn't impact the kernel mode drivers like MS13-016 but the kernel itself and how it handles objects in memory. Again to leverage this attack you need a specially crafted application and a way to get into a system, either with valid login credentials or a different exploit. Once an elevation of privilege has been successful an attacker could run arbitrary code in kernel mode, which would not be good. Unlike MS13-016 this issue does impact Windows 8, Server 2012 and RT as well as all the other version of Windows. Microsoft thinks that two of these CVEs (2013-1278 and 2013-1280) would be rather difficult to exploit but that one of them (2013-1279) will probably have exploit code available within the next month or so. So don't be a monkey and patch as soon as you can.

MS13-018 (KB2790655)


Denial of Service in TCP/IP


As protocols go TCP/IP is about unflamboyant as it gets, sure it helps make the Internet work buts it not the extroverted Rooster that likes to strut it stuff across the wire. Actually the way TCP/IP on Vista, Server 2008, 7, 8 and RT handles connection termination sequences could mean that it won't be able to strut its stuff anywhere. In fact exploitation of this vulnerability could force your machine to stop responding or even automatically restart. While there is very little likelihood, according to Microsoft, of exploit code being developed for this there is no way to mitigate this or work around it; you need to install the patch. So stop parading around like a Rooster and get to it.

MS13-019 (KB2790113)


Elevation of Privilege in Windows Client/Server Run-time Subsystem (CSRSS)


Dogs are considered to be kind and friendly but anyone who exploits this vulnerability probably won't be. The Windows Client/Server Run-time Subsystem (CSRSS) is mostly responsible for Win32 console handling and GUI shutdown however it can also allow elevation of privilege if a user has a specially crafted application and a set of valid logon credentials, or some other way to logon locally. The impact is only for Windows 7 and Server 2008 so if you are running those be sure to grab this patch, yes you can wait until after the dog has had his walk.

MS13-020 (KB2802968)


Remote Code Execution in Object Linking and Embedding


Someone got lucky and I don't think it was the pig. This vulnerability only impacts Windows XP3 SP3,that's it. Actually it probably impacts older versions of Windows as well but Microsoft only lists currently supported versions, besides you really shouldn't be running anything older than XP SP3 anyway and even that is questionable. Exploitation requires a specially crafted file and again deals with objects in memory. Successful exploitation would result in remote code execution, which of course could allow the attacker to be a complete pig and take complete control of a system. Definitely not something to mess around with. To make things even worse Microsoft expects exploit code to be found in the wild for this vulnerability real soon, so get patching.

After you are done patching go let off some firecrackers to hopefully scare off next months Nian patch beast and have Happy New Year everyone!

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More