Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, July 2013 - CRITICAL

This is probably one of the most important Patch Tuesday'swe have seen in quite some time. While it is not the biggest Patch Tuesday,either in bulletins or in CVE's, there are a very high number of criticalissues this month that are present in very popular items. Of the six Criticalremote Code Execution issues Microsoft thinks five of them will most likely beexploited. The fifth one MS13-057 may be exploited but Microsoft says it wouldbe pretty difficult and with five other relatively easy ones why bother withthe hard one? The severity of this months vulnerabilities and their ease ofexploitation really makes it important for users to update this month.Especially those folks who tend to put things off or let updates pile up forseveral months in a row, this is not a month to let things slide to when youget around to it. While none of these have yet been seen in the wild it willnot be long (days? hours?) before bad guys develop and deploy exploits for atleast some of these vulnerabilities.

MS13-052 (KB2861561)


Remote Code Execution in .NET

CVE-2013-3129CVE-2013-3131 CVE-2013-3132 CVE-2013-3133 CVE-2013-3134


Thisbulletin has to fix quite a bit of stuff including how the .NET Frameworkhandles multidimensional arrays of small structures, validates the permissionsof objects performing reflection, allocates object arrays, and handles partialtrust vulnerabilities among other things. So much stuff you may be offeredmultiple updates depending on what versions of stuff you have installed.

MS13-053 (KB2850851)


Remote Code Execution in Kernel ModeDrivers

CVE-2013-1300CVE-2013-1340 CVE-2013-1345 CVE-2013-3129 CVE-2013-3167

CVE-2013-3172CVE-2013-3173 CVE-2013-3660

Mostof those CVEs have to do with memory usage issues in Win32k.sys. Most result innon critical elevation of privilege but some like CVE-2013-3129 (see below) canresult in remote code execution which gives the entire bulletin a criticalrating.

MS13-054 (KB2848295)


Remote Code Execution in GDI+


GDI+is the Graphics Device Interface for 2D vector graphics (yeah, I had to look itup to). Windows, Office, Visual Studio, and Lync often use it to renderTrueType Fonts. Successful exploitation of this vulnerability could allow anattacker to could run arbitrary code in kernel mode, which would basically meangame over. A specially crafted web page, a specially crafted document file or aspecially crafted application could all be used to take advantage of thisissue.

Youmay notice that CVE 2013-3129 is listed in three different bulletins MS13-052,MS13-053 and MS13-054. True Type parsing vulnerabilities can be nasty and oftenimpact multiple products like this one does. MS13-052 covers .NET andSilverlight, MS13-053 deals with the kernel mode drivers and MS13-054 takescare of the rest.

MS13-055 (KB2846071)


Remote Code Execution in Internet Explorer

CVE-2013-3115CVE-2013-3143 CVE-2013-3144 CVE-2013-3145 CVE-2013-3146

CVE-2013-3147CVE-2013-3148 CVE-2013-3149 CVE-2013-3150 CVE-2013-3151

CVE-2013-3152CVE-2013-3153 CVE-2013-3161 CVE-2013-3162 CVE-2013-3163


That'sSeventeen CVEs in that list up there; of those sixteen of them are ratedcritical. If you only apply one patch it should definitely be this one. Ofcourse if you if you only apply one of the seven patches this month you mightwant to make an appointment with your local psychotherapist. The most severe ofthese CVEs could allow remote code execution via a specially crafted webpage viewedin Internet Explorer. It doesn't matter which version, Internet Explorer 6,Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and InternetExplorer 10 are all impacted. Most of these vulnerabilities are memorycorruption issues and one is a cross-site-scripting issue.

MS13-056 (KB2845187)


Remote Code Execution in Direct Show


Funnyanimated GIFs have become a popular way for users to spread internet memes.Unfortunately an issue in Direct Show could lead to Remote Code Execution thenext time someone sends around a specially crafted cat GIF. What makes thiseven worse is the GIF file could be hosted on a website meaning the attackeronly needs to convince a user to click on a link or to get their speciallycrafted graphic file onto a website they know the user will visit. This couldbe done by compromising the website or more likely by simply buying someadvertising on the site. About the only god thing here is that Microsoft hasnot yet seen this one being used in the wild so if you apply the patch now youshould be OK.

MS13-057 (KB2847883)


Remote Code Execution in Windows Media


Ifyou are running an Itanium based Windows Server, consider yourself lucky, thisvulnerability is not rated Critical for you. For everyone else however aspecially crafted media file could allow a bad guy to do nasty things on yoursystem. Of course if you are not logged in as an Administrator you can greatlyreduce the harm an attacker can do when they compromise your system with thisor any other vulnerability so be sure to restrict your normal every day accountand have a separate account that can be used for Administrative duties.

MS13-058 (KB2847927)


Elevation of Privilege in Windows Defender


I always consider it a little but ironic when securitysoftware itself has a security vulnerability. At least this month the issueisn't a critical one like all the other ones this Patch Tuesday. An issue withthe path names used by Windows Defender, which is Microsoft's Anti-Spywaresoftware, could allow an attacker who has valid login credentials to elevatehis privilege level.

Related SpiderLabs Blogs