Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, January 2013 – Hot Sauce

I had lunch today at a great little Cajun restaurant inChicago called Heaven on Seven, so named because it happens to be on theseventh floor of a large office building. (If you go, get the gumbo) Of coursepurely by coincidence we happen to have exactly seven bulletins from Microsoftthis month. (At least there aren't as many bulletins as Heaven on Seven has hotsauces. They have 1320 of them!)


MadDog357GhostPepperWhile it may not be a great start to the New Year only sevenbulletins isn't that bad, historically speaking. Although when you add in the recent InternetExplorer 0-day vulnerability things aren't looking much better in 2013 thanthey did in 2012. While there are two 'critical' patches this month, and five'important' ones, none of them cover the recent zero-day vulnerabilitydiscovered two weeks ago. Microsoft has issued a Fix-It for the zero-day vulnerabilityin Internet Explorer however a bypass for the Fix-It has already been published,which means that people who are still using Internet Explorer 6, 7 or 8 willstill be vulnerable until probably next months patch Tuesday. In the meantimethey may feel like they are using a browser that is as hot as Mad Dog 357 Ghostpepper sauce! Of course if you can't wait until next months patch Tuesday youcould also just update your browser to Internet Explorer 9 or 10 or Chrome orFirefox and remove the burning from your mouth.

This months bulletins seem to be pretty evenly spread aroundwith three in Microsoft Windows, one in XML Core Services, one in System Center Operations Manager (SCOM), one in .NET and one in OData Services. In all the seven bulletins cover just twelveCVEs . The two critical bulletins are MS13-001 which is in the print spooler ofall places and MS13-002 in MSXML.

MS13-001 (KB2769369)Bourbon Street really Bad Hot Sauce_sm


Remote Code Executionin Windows Print Spooler


This only impacts Windows 7 and Server 2008 R2. If the printserver receives a specially crafted print job it could allow remote codeexecution. Almost like the specially crafted Bourbon Street Really Bad hotsauce will remotely execute a fire in your mouth! If you are running Server2008 R2 and are looking for this update in Windows Update to put out that fire andnot finding it, it may be because your server is not configured as aPrinter-ServerCore-Role. This vulnerability was reported privately to Microsoftand so hasn't been seen in the wild yet, but specially crafted Bourbon StreetReally Bad hot sauce is in the wild so apply those patches as soon as you can.

MS13-002 (KB2756145)Island-grove-jamaican-hot-141465


Remote Code Executionin Microsoft XML Core Services

CVE-2013-006 CVE-2013-007

While not impacted it self Internet Explorer is used as theattack vector for this vulnerability. By tricking a visitor to visit aspecially crafted web page XML Core Services will incorrectly parse certain XMLcontent resulting in remote code execution. Just about everything uses XML core servicesincluding XP SP3 to Windows 8 and RT as well as Server 2008, some installationsof MS Office, Sharepoint and even Groove Server. Luckily Island Groove JamaicanHot Sauce is not vulnerable! While there is only one Island Groove Jamaican HotSauce you may be offered more than one version of this patch depending on whichversions of XML Core Services you have installed.

MS13-003 (KB2748552)Tearsoffire_sm


Elevation of Privilegein System Center Operations Manager

CVE-2013-0009 CVE-2013-0010

You might wonder just what the hell is System CenterOperations Manager just like you might wonder just how hot Tears of Fire HotSauce really is. While MS13-003 will elevate your privileges will you reallyhave tears of fire after tasting Tears of Fire Hot Sauce? If you are not familiar with it SCOM allowsyou to manage multiple hypervisors in a cloud management platform. Again the issue is exploited by first visitinga specially crafted web page, perhaps with a link in a phishing email, awatering hole attack or even a compromised advertisement on a web page. The attacker can then use a cross-sitescripting (XSS) vulnerability to inject a client side script into the usersbrowsers allowing the attacker to take any action allowed by the users level ofaccess.

MS13-004 (KB2769324)Texas Tognue3 pepper hot sauce_sm


Elevation of Privilegein .NET Framework

CVE-2013-0002 CVE-2013-0003 CVE-2013-0004

Texas Tongue Three Pepper Hot Sauce says it uses threedifferent peppers just like this bulletin covers three different CVEs. The mostsevere CVE of this bunch could allow elevation of privilege if a user views aspecially crafted webpage using a web browser that can run XAML BrowserApplications (XBAPs) or it can also be used by Windows .NET applications tobypass Code Access Security (CAS) restrictions. The security updates addresseshow .Net handles items in memory including array sizes and objectpermissions. Texas Tongue Three PepperHot Sauce on the other hand just makes your food taste hot.

MS13-005 (KB2778930)ColonelCoopersMile High HotSauce_sm


Denial of Service inopen Data Protocol


Don't confuse a kernel-mode driver with Colonel Coopers MileHigh Hot Sauce, one tastes yummy, the other allows elevation of privilege. Windowskernel-mode driver handles window broadcast messages, which is how Windowscommunicates to various applications. An attacker needs to be able to logonlocally to a system in order to take advantage of this flaw. If thisvulnerability is successfully exploited an attacker could take complete controlof a system; only limited by a users level of access, another reason not to runas admin all the time.

MS13-006 (KB2785220)Inner_beauty_original_real_hot_sauce


Security FeatureBypass


This is only rated important and with a description of'Security Feature Bypass' you might not realize that it's actually vulnerabilityin the implementation of SSL and TLS in Microsoft Windows. Just like the nameInner Beauty Sauce might fool you as to the effects of the contents in thebottle this description might fool as to the severity of this bulletin. Anattacker could use this flaw to inject specially crafted content into anSSL/TLS session and cause the SSL connection to downgrade from SSLv3 to SSLv2.

MS13-007 (KB2769327)


Denial of Service inopen Data Protocol


The Open DataProtocol (OData) is a Web protocol for querying and updating and providesaccess to information from a variety of applications, services, and stores.However Microsoft's version could allow a denial of service if anunauthenticated attacker sends a specially crafted HTTP requests to an affectedsite. You will need this update if you have .NET installed or the ManagementOData IIS Extension on Server 2012. The patch fixes the vulnerability byturning off the WCF Replace function by default. If you can't apply the patchyou could try blocking ports at your firewall but OData usually uses ports 80 and443 so that probably won't work. You could also try turning on authenticationfor clients connecting via IIS but that would probably be a major pain for yourusers, just install the patch.

Now, go grab one of your favorite hot sauces, or just getsome Tabasco if you can't find your favorite (or maybe Tabasco is yourfavorite), get some grub to put the sauce on and fire up Windows Update and getinstalling those patches.


Related SpiderLabs Blogs