Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, February 2013 – Happy Chinese New Year!

Submitted by Space Rogue

Happy Chinese New Year!Welcome to the year of the snake, or the black water snake to betechnical.

I know what you'rethinking, in between slurping on your long noodles and noshing on yourtangerines, you're thinking that twelve security bulletins from Microsoftforthe month of February isn't that bad even if it is the short month. Twelveisn't great but it is a manageable number. While twelve bulletins soundslikean easy number keep in mind that those twelve bulletins cover a whoppingfifty-seven separate CVEs. Having to fill the gaps of fifty-seven CVEsmight bealmost as bad having to battle the mythical Nian beast before it gobbles upyour children. So put on your best red shirt and maybe these fifty-sevenCVEscan be scared into submission.

Lets get this ChineseNew Years Party started!

MS13-009 (KB2792100)


Remote Code Execution in Internet Explorer

CVE-2013-0015CVE-2013-0018 CVE-2013-0019 CVE-2013-0020 CVE-2013-0021CVE-2013-0022 CVE-2013-0023 CVE-2013-0024 CVE-2013-0025 CVE-2013-0026CVE-2013-0027 CVE-2013-0028 CVE-2013-0029

In Chinese mythology therat is considered an intelligent problem-solving animal. Although if facedwiththirteen CVEs in one bulletin I'm not so sure a solution would come allthateasy. The most severe of these CVEs could allow remote code execution inallversions of Internet Explorer from 6 through 10. If for some reason youmissedthe out of band update MS13-008 that was issued a few weeks ago this updateincludes patches for the same vulnerability. The thirteen CVEs cover amyriadof issues mostly involving use after free vulnerabilities, which is afancy wayof describing how IE access an item in memory after it has been deleted. Anattacker could use these vulnerabilities by creating a special web page andthen getting people to visit that page either through an emailed link orcompromised web site. Thankfully you don't need the problem solvingabilitiesof a rat to protect yourself from these issues, just install the patch.

MS13-010 (KB2797052)


Remote Code Execution in Internet Explorer


The Ox is oftenconsidered obstinate and resistant to change; perhaps Microsoft is takingsomecues from the Ox by not removing Vector Markup Language from InternetExplorer.VML has been deprecated for some time in favor of SVG and while Microsoftclaims it has been removed from IE 10 thisvulnerability in VML still impacts IE10. The issue actually impacts allversions of Internet Explorer, and can be exploited with a speciallycraftedweb page. Vector Markup Language is an XML-based file format fortwo-dimensional vector graphics.

MS13-011 (KB2780091)


Remote Code Execution in DirectShow


The Tiger is consideredto be the lucky animal; which is probably what an attacker would feel likeifthey were to successfully exploit this vulnerability. Instead of aspecially craftedwebpage this vulnerability requires a specially crafted media file such asan.mpg. The media file could be embedded into a MS Office document such as aPower Point presentation or served up as streaming content on a web page orsent as an attachment in email (which the user would have to open). Thisissueis present in Windows XP, Server 2003, Vista, and Server 2008. The problemisin how DirectShow, Microsoft's API for streaming content, handles the mediafile. While Microsoft has not yet seen this vulnerability in the wild theydoexpect exploit code to be released within the next thirty days, so unlessyoufeel as lucky as a tiger you should install the patch.

MS13-012 (KB2809279)


Remote Code Execution in MS Exchange Server


The fourth sign of theChinese Zodiac, the rabbit, is considered to be really good atcommunication;which matches up perfectly with the fourth bulletin this month. MSExchange Server has an issue with the WebReady Document Viewing component. The Web Ready Document Viewing componentallows Outlook Web Access users to view attachments within the browser.Thisisn't the first problem we have seen an issue in Web Ready DocumentViewing, MS12-058also allowed RCE. Like MS12-058 and several other vulnerabilities in recentmonths the actual code resides in the Oracle Outside In Libraries. Thisupdatealso includes some non-security updates such as Update Rollup 10 forExchangeServer 2007 (KB2788321) and Update Rollup 6 for ExchangeServer2010 SP2 (KB2746164).Exploiting this vulnerability would only give you access the LocalServiceaccount which has minimum privileges but if you were able to combine thiswithsome other elevation of privilege vulnerability, well then, as the rabbitmightsay, you might just have something.

MS13-013 (KB2784242)


Remote Code Execution in SharePoint Server


In Eastern philosophy,the Dragon is said to be a deliverer of good fortune and a master ofauthority;which I suppose is how some people feel about their SharePoint servers.However, if they fail to apply this patch they may also be deliveringremotecode execution. There should not be very many people impacted by thisissue, itis present in the FAST Search Server 2010 for SharePoint but only when theAdvancedFilter Pack is enabled, however AFP is disabled by default. AdvancedFilter Packis a feature that enables text and metadata extraction from severalhundred fileformats. This bulletin is closely related to MS13-012 as it updates theOracleOutside In libraries as well.

MS13-014 (KB2790978)


Denial of Service in NFS Server


NFS or Network FileSystem is a distributed File Systems that basically allows users on anetworkto share files. Its pretty much been around forever, first developed bySun backin 1984, and like the Snake it is rather refined and collected whencompared toother remote file access protocols. An attacker who exploited thisvulnerability could cause the affected system to stop responding andrestart.The vulnerability only affects Windows servers with the NFS role enabledandoccurs when the server fails to properly handle a file operation on aread-onlyshare.

MS13-015 (KB2800277)


Elevation of Privilege in .NET Framework


The horse is said to bethe life of the party, whish we could say the same for .NET, at least foranyparties I have attended. Although personally I can't imagine any party thatcenters around .NET, well, unless it's a vulnerability patching party!(Sorry.)In this case a user would have to vist that almost mythical by now especiallycrafted web page with a browser that can run XAML Browser Applications orXBAPs.This bulletin applies to just about every version of .NET from 2.0 SP2 upto4.5. The issue involves the way .NET Framework elevates the permissions ofacallback function when a particular Windows Forms object is created whichcouldresult in an elevation of privilege for the attacker. By default IE 9 and10prevent XAML from running in the Internet Zone and IE 6, 7, and 8 willpromptthe user before running XAML in the Internet Zone. But if you really wantto bethe life of the party you will install this patch.

MS13-016 (KB2778344)


Elevation of privilege in Kernel-Mode Drivers

CVE-2013-1248 CVE-2013-1249CVE-2013-1250 CVE-2013-1264 CVE-2013-1251 CVE-2013-1265CVE-2013-1252 CVE-2013-1266 CVE-2013-1253 CVE-2013-1267CVE-2013-1254 CVE-2013-1268 CVE-2013-1255 CVE-2013-1269CVE-2013-1256 CVE-2013-1270 CVE-2013-1257 CVE-2013-1271CVE-2013-1258 CVE-2013-1272 CVE-2013-1259 CVE-2013-1273CVE-2013-1260 CVE-2013-1274 CVE-2013-1261 CVE-2013-1275CVE-2013-1262 CVE-2013-1276 CVE-2013-1263 CVE-2013-1277

Whoa, thirty CVEs!That's not very sheepish at all. No way this bulletin is going awayquietly orcalmly, not with thirty CVEs in it. The issue has to do with how the kernelhandles objects in memory. To exploit any of these issues attackers need aspecially crafted application and already have a way to login to a system.Thisissue does not impact Windows 8, Server 2012 or RT because the known attackvectors are blocked in those OSs, however you should still install thesepatches, it won'thurt anything and provides good security in depth.

MS13-017 (KB2799494)


Elevation of Privilege in Kernel

CVE-2013-1278CVE-2013-1279 CVE-2013-1280

If I had a milliondollars I'd buy you a monkey, haven't you always wanted a monkey? No?Haven'tyou always wanted a vulnerability in the windows kernel? No? Well, sorry,youhave not just one, but three. This issue doesn't impact the kernel modedriverslike MS13-016 but the kernel itself and how it handles objects in memory.Againto leverage this attack you need a specially crafted application and a waytoget into a system, either with valid login credentials or a differentexploit. Once an elevation of privilege has beensuccessful an attacker could run arbitrary code in kernel mode, whichwould notbe good. Unlike MS13-016 this issue does impact Windows 8, Server 2012 andRTas well as all the other version of Windows. Microsoft thinks that two oftheseCVEs (2013-1278 and 2013-1280) would be rather difficult to exploit butthat oneof them (2013-1279) will probably have exploit code available within thenextmonth or so. So don't be a monkey and patch as soon as you can.

MS13-018 (KB2790655)


Denial of Service in TCP/IP


As protocols go TCP/IPis about unflamboyant as it gets, sure it helps make the Internet workbuts itnot the extroverted Rooster that likes to strut it stuff across the wire.Actually the way TCP/IP on Vista, Server 2008, 7, 8 and RT handlesconnectiontermination sequences could mean that it won't be able to strut its stuffanywhere. In fact exploitation of this vulnerability could force yourmachineto stop responding or even automatically restart. While there is verylittlelikelihood, according to Microsoft, of exploit code being developed forthisthere is no way to mitigate this or work around it; you need to install thepatch. So stop parading around like a Rooster and get to it.

MS13-019 (KB2790113)


Elevation of Privilege in Windows Client/ServerRun-time Subsystem (CSRSS)


Dogs are considered tobe kind and friendly but anyone who exploits this vulnerability probablywon'tbe. The Windows Client/Server Run-time Subsystem (CSRSS) is mostlyresponsiblefor Win32 console handling and GUI shutdown however it can also allowelevationof privilege if a user has a specially crafted application and a set ofvalidlogon credentials, or some other way to logon locally. The impact is onlyforWindows 7 and Server 2008 so if you are running those be sure to grab thispatch, yes you can wait until after the dog has had his walk.

MS13-020 (KB2802968)


Remote Code Execution in Object Linking andEmbedding


Someone got lucky and I don'tthink it was the pig. This vulnerability only impacts Windows XP3 SP3,that's it.Actually it probably impacts older versions of Windows as well butMicrosoftonly lists currently supported versions, besides you really shouldn't berunning anything older than XP SP3 anyway and even that is questionable. Exploitation requires a specially crafted fileand again deals with objects in memory. Successful exploitation wouldresult inremote code execution, which of course could allow the attacker to be acompletepig and take complete control of a system. Definitely not something to messaround with. To make things even worse Microsoft expects exploit code to befound in the wild for this vulnerability real soon, so get patching.

After you are donepatching go let off some firecrackers to hopefully scare off next monthsNianpatch beast and have Happy New Year everyone!

Related SpiderLabs Blogs