CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, January 2013 – Hot Sauce

I had lunch today at a great little Cajun restaurant in Chicago called Heaven on Seven, so named because it happens to be on the seventh floor of a large office building. (If you go, get the gumbo) Of course purely by coincidence we happen to have exactly seven bulletins from Microsoft this month. (At least there aren't as many bulletins as Heaven on Seven has hot sauces. They have 1320 of them!)


BSL_12638_f207352e-d7b2-4789-bf00-f00fe6fdae6bWhile it may not be a great start to the New Year only seven bulletins isn't that bad, historically speaking. Although when you add in the recent Internet Explorer 0-day vulnerability things aren't looking much better in 2013 than they did in 2012. While there are two 'critical' patches this month, and five 'important' ones, none of them cover the recent zero-day vulnerability discovered two weeks ago. Microsoft has issued a Fix-It for the zero-day vulnerability in Internet Explorer however a bypass for the Fix-It has already been published, which means that people who are still using Internet Explorer 6, 7 or 8 will still be vulnerable until probably next months patch Tuesday. In the mean time they may feel like they are using a browser that is as hot as Mad Dog 357 Ghost pepper sauce! Of course if you can't wait until next months patch Tuesday you could also just update your browser to Internet Explorer 9 or 10 or Chrome or Firefox and remove the burning from your mouth.

This months bulletins seem to be pretty evenly spread around with three in Microsoft Windows, one in XML Core Services, one in System Center Operations Manager (SCOM), one in .NET and one in OData Services. In all the seven bulletins cover just twelve CVEs . The two critical bulletins are MS13-001 which is in the print spooler of all places and MS13-002 in MSXML.

MS13-001 (KB2769369)12239_e13f7210-54a3-40d3-980d-bc9555dcb5e3


Remote Code Execution in Windows Print Spooler


This only impacts Windows 7 and Server 2008 R2. If the print server receives a specially crafted print job it could allow remote code execution. Almost like the specially crafted Bourbon Street Really Bad hot sauce will remotely execute a fire in your mouth! If you are running Server2008 R2 and are looking for this update in Windows Update to put out that fire and not finding it, it may be because your server is not configured as a Printer-Server Core-Role. This vulnerability was reported privately to Microsoft and so hasn't been seen in the wild yet, but specially crafted Bourbon Street Really Bad hot sauce is in the wild so apply those patches as soon as you can.

MS13-002 (KB2756145)9757_6a969e63-7d9c-48e7-b06b-24aef5683416


Remote Code Execution in Microsoft XML Core Services

CVE-2013-006 CVE-2013-007

While not impacted it self Internet Explorer is used as the attack vector for this vulnerability. By tricking a visitor to visit a specially crafted web page XML Core Services will incorrectly parse certain XML content resulting in remote code execution. Just about everything uses XML core services including XP SP3 to Windows 8 and RT as well as Server 2008, some installations of MS Office, SharePoint and even Groove Server. Luckily Island Groove Jamaican Hot Sauce is not vulnerable! While there is only one Island Groove Jamaican Hot Sauce you may be offered more than one version of this patch depending on which versions of XML Core Services you have installed.

MS13-003 (KB2748552)10535_8e0d35ad-c2dd-4af3-9893-ca63ef691cba


Elevation of Privilege in System Center Operations Manager

CVE-2013-0009 CVE-2013-0010

You might wonder just what the hell is System Center Operations Manager just like you might wonder just how hot Tears of Fire Hot Sauce really is. While MS13-003 will elevate your privileges will you really have tears of fire after tasting Tears of Fire Hot Sauce? If you are not familiar with it SCOM allows you to manage multiple hypervisors in a cloud management platform. Again the issue is exploited by first visiting a specially crafted web page, perhaps with a link in a phishing email, a watering hole attack or even a compromised advertisement on a web page. The attacker can then use a cross-site scripting (XSS) vulnerability to inject a client side script into the users browsers allowing the attacker to take any action allowed by the users level of access.

MS13-004 (KB2769324)9090_49be5201-8b45-4bc1-8bc7-1e1ea1d73e2a


Elevation of Privilege in .NET Framework

CVE-2013-0002 CVE-2013-0003 CVE-2013-0004

Texas Tongue Three Pepper Hot Sauce says it uses three different peppers just like this bulletin covers three different CVEs. The most severe CVE of this bunch could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs) or it can also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. The security updates addresses show .Net handles items in memory including array sizes and object permissions. Texas Tongue Three Pepper Hot Sauce on the other hand just makes your food taste hot.

MS13-005 (KB2778930)7725_05f0bb9b-2369-44ad-8536-4e358b786aba


Denial of Service in open Data Protocol


Don't confuse a kernel-mode driver with Colonel Coopers Mile High Hot Sauce, one tastes yummy, the other allows elevation of privilege. Windows kernel-mode driver handles window broadcast messages, which is how Windows communicates to various applications. An attacker needs to be able to logon locally to a system in order to take advantage of this flaw. If this vulnerability is successfully exploited an attacker could take complete control of a system; only limited by a users level of access, another reason not to run as admin all the time.

MS13-006 (KB2785220)9495_5c79d823-1e71-41b0-a614-35b1591f9f30


Security Feature Bypass


This is only rated important and with a description of' Security Feature Bypass' you might not realize that it's actually vulnerability in the implementation of SSL and TLS in Microsoft Windows. Just like the name Inner Beauty Sauce might fool you as to the effects of the contents in the bottle this description might fool as to the severity of this bulletin. An attacker could use this flaw to inject specially crafted content into an SSL/TLS session and cause the SSL connection to downgrade from SSLv3 to SSLv2.

MS13-007 (KB2769327)


Denial of Service in open Data Protocol


The Open Data Protocol (OData) is a Web protocol for querying and updating and provides access to information from a variety of applications, services, and stores. However Microsoft's version could allow a denial of service if an unauthenticated attacker sends a specially crafted HTTP requests to an affected site. You will need this update if you have .NET installed or the Management OData IIS Extension on Server 2012. The patch fixes the vulnerability by turning off the WCF Replace function by default. If you can't apply the patch you could try blocking ports at your firewall but OData usually uses ports 80 and443 so that probably won't work. You could also try turning on authentication for clients connecting via IIS but that would probably be a major pain for your users, just install the patch.

Now, go grab one of your favorite hot sauces, or just get some Tabasco if you can't find your favorite (or maybe Tabasco is your favorite), get some grub to put the sauce on and fire up Windows Update and get installing those patches.



Latest SpiderLabs Blogs

The Secret Cipher: Modern Data Loss Prevention Solutions

This is Part 7 in my ongoing project to cover 30 cybersecurity topics in 30 weekly blog posts. The full series can be found here. Far too many organizations place Data Loss Prevention (DLP) and Data...

Read More

CVE-2024-3400: PAN-OS Command Injection Vulnerability in GlobalProtect Gateway

Overview A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations...

Read More


We all know the cybersecurity industry loves its acronyms, but just because this fact is widely known doesn’t mean everyone knows the story behind the alphabet soup groups of letters, we must deal...

Read More