SpiderLabs Blog

Microsoft Patch Tuesday, July 2013 - CRITICAL

Written by Space Rogue | Jul 9, 2013 12:55:00 PM

This is probably one of the most important Patch Tuesday's we have seen in quite some time. While it is not the biggest Patch Tuesday, either in bulletins or in CVE's, there are a very high number of critical issues this month that are present in very popular items. Of the six Critical remote Code Execution issues Microsoft thinks five of them will most likely be exploited. The fifth one MS13-057 may be exploited but Microsoft says it would be pretty difficult and with five other relatively easy ones why bother with the hard one? The severity of this months vulnerabilities and their ease of exploitation really makes it important for users to update this month. Especially those folks who tend to put things off or let updates pile up for several months in a row, this is not a month to let things slide to when you get around to it. While none of these have yet been seen in the wild it will not be long (days? hours?) before bad guys develop and deploy exploits for at least some of these vulnerabilities.

MS13-052 (KB2861561)

CRITICAL

Remote Code Execution in .NET

CVE-2013-3129CVE-2013-3131 CVE-2013-3132 CVE-2013-3133 CVE-2013-3134

CVE-2013-3171CVE-2013-3178

This bulletin has to fix quite a bit of stuff including how the .NET Framework handles multidimensional arrays of small structures, validates the permissions of objects performing reflection, allocates object arrays, and handles partial trust vulnerabilities among other things. So much stuff you may be offered multiple updates depending on what versions of stuff you have installed.

 

MS13-053 (KB2850851)

CRITICAL

Remote Code Execution in Kernel Mode Drivers

CVE-2013-1300CVE-2013-1340 CVE-2013-1345 CVE-2013-3129 CVE-2013-3167

CVE-2013-3172CVE-2013-3173 CVE-2013-3660

Most of those CVEs have to do with memory usage issues in Win32k.sys. Most result in non critical elevation of privilege but some like CVE-2013-3129 (see below) can result in remote code execution which gives the entire bulletin a critical rating.

 

MS13-054 (KB2848295)

CRITICAL

Remote Code Execution in GDI+

CVE-2013-3129

GDI+is the Graphics Device Interface for 2D vector graphics (yeah, I had to look it up to). Windows, Office, Visual Studio, and Lync often use it to render TrueType Fonts. Successful exploitation of this vulnerability could allow an attacker to could run arbitrary code in kernel mode, which would basically mean game over. A specially crafted web page, a specially crafted document file or a specially crafted application could all be used to take advantage of this issue.

You may notice that CVE 2013-3129 is listed in three different bulletins MS13-052,MS13-053 and MS13-054. True Type parsing vulnerabilities can be nasty and often impact multiple products like this one does. MS13-052 covers .NET and Silverlight, MS13-053 deals with the kernel mode drivers and MS13-054 take scare of the rest.

 

MS13-055 (KB2846071)

CRITICAL

Remote Code Execution in Internet Explorer

CVE-2013-3115CVE-2013-3143 CVE-2013-3144 CVE-2013-3145 CVE-2013-3146

CVE-2013-3147CVE-2013-3148 CVE-2013-3149 CVE-2013-3150 CVE-2013-3151

CVE-2013-3152CVE-2013-3153 CVE-2013-3161 CVE-2013-3162 CVE-2013-3163

CVE-2013-3164CVE-2013-3166

That's Seventeen CVEs in that list up there; of those sixteen of them are rated critical. If you only apply one patch it should definitely be this one. Of course if you if you only apply one of the seven patches this month you might want to make an appointment with your local psychotherapist. The most severe of these CVEs could allow remote code execution via a specially crafted webpage viewed in Internet Explorer. It doesn't matter which version, Internet Explorer 6,Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, and Internet Explorer 10 are all impacted. Most of these vulnerabilities are memory corruption issues and one is a cross-site-scripting issue.

 

MS13-056 (KB2845187)

CRITICAL

Remote Code Execution in Direct Show

CVE-2013-3174

Funny animated GIFs have become a popular way for users to spread internet memes. Unfortunately an issue in Direct Show could lead to Remote Code Execution the next time someone sends around a specially crafted cat GIF. What makes this even worse is the GIF file could be hosted on a website meaning the attacker only needs to convince a user to click on a link or to get their specially crafted graphic file onto a website they know the user will visit. This could be done by compromising the website or more likely by simply buying some advertising on the site. About the only god thing here is that Microsoft has not yet seen this one being used in the wild so if you apply the patch now you should be OK.

 

MS13-057 (KB2847883)

CRITICAL

Remote Code Execution in Windows Media

CVE-2013-3127

If you are running an Itanium based Windows Server, consider yourself lucky, this vulnerability is not rated Critical for you. For everyone else however a specially crafted media file could allow a bad guy to do nasty things on your system. Of course if you are not logged in as an Administrator you can greatly reduce the harm an attacker can do when they compromise your system with this or any other vulnerability so be sure to restrict your normal every day account and have a separate account that can be used for Administrative duties.

 

MS13-058 (KB2847927)

IMPORTANT

Elevation of Privilege in Windows Defender

CVE-2013-3154

I always consider it a little but ironic when security software itself has a security vulnerability. At least this month the issue isn't a critical one like all the other ones this Patch Tuesday. An issue with the path names used by Windows Defender, which is Microsoft's Anti-Spyware software, could allow an attacker who has valid login credentials to elevate his privilege level.