Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, June 2013

Finally, patch Tuesday has arrived and fortunately this one will be a real treat. This release should be a breeze with only five (5) bulletins, which only one of these being critical. Some of these bulletins might not affect you if you are running a Windows 64-bit system (such as MS13-048) or running an unaffected version of Microsoft Office (MS13-051). So I'm expecting the update process will go fairly quickly, so no need to wait to perform these security updates before bed time or during lunch. But of-course there is no guarantees. However, I would 'Just do it' as the Nike slogan says. But, there is always the exception if your running a critical application on a Windows Server where you need to schedule a time-window to get security updates installed, but this shouldn't be a big deal. Without further ado, let's jump into these bulletins.


MS13-047 (KB2838727)


Remote Code Execution in Internet Explorer

CVE-2013-3110, CVE-2013-3111, CVE-2013-3112, CVE-2013-3113, CVE-2013-3114, CVE-2013-3116, CVE-2013-3117, CVE-2013-3118, CVE-2013-3119, CVE-2013-3120, CVE-2013-3121, CVE-2013-3122, CVE-2013-3123, CVE-2013-3124, CVE-2013-3125, CVE-2013-3139, CVE-2013-3141, CVE-2013-3142

It is rare of having only one bulletin in an entire release that contains more than one CVE. However, it is also unusual for one bulletin having at least eighteen of them. Similar to last month, Internet Explorer is plagued with more critical vulnerabilities, which appear to be caused from memory corruption issues. Many of the CVEs appear to suffer from use-after-free vulnerabilities, which could allow arbitrary code to be executed and/or cause denial of service conditions. However, there are many CVEs in here that can result in remote code execution, which is definitely something to worry about especially when it affects a browser. Traditionally, we've seen exploit kits, such as the Blackhole Exploit Kit to implement exploits that target IE vulnerabilities. Fortunately, none of these appear to be added quite yet.


MS13-048 (KB2839229)


Windows Kernel Information Disclosure Vulnerability


This bulletin patches one (1) CVE for an information disclosure in a Windows kernel. In order for the attacker to exploit this vulnerability, this individual would need sufficient access to execute a malicious application, or this individual might use various social engineering techniques to trick a privileged user to execute a malicious program. Its a no-brainer that if the attacker succeeds in this attempt, you have bigger problems then disclosing information about the system, such as gaining additional privileges or injecting a shell. Fortunately, this vulnerability will not result in escalation of privileges or remote code execution conditions. Additionally, this vulnerability only exists in x86 Windows systems up to Windows 7.


MS13-049 (KB2845690)


TCP/IP Integer Overflow Vulnerability


Similar to the last vulnerability, this also just contains one (1) CVE. This vulnerability is based on how the Windows TCP/IP driver handles certain specially crafted packets. If this vulnerability is left unpatched, an attacker could potentially send specially crafted packets to a server in order to cause denial of service conditions. Since it requires these malicious crafted packets to be transmitted over a network, technologies, such as Intrusion Detection System (IDS) with proper signatures will be able to detect this vulnerability. Additionally, this vulnerability does not affect certain older versions of the Windows operating system, such as Windows XP SP3 and Windows Server 2003 SP2.


MS13-050 (KB2839894)


Print Spooler Vulnerability


This appears to be a use-after-free vulnerability based on a memory corruption flaw for how Window deletes printer spooler connections. The attacker would need to be authenticated to the system in order to exploit this vulnerability. However, this vulnerability could be potentially useful for gaining escalated privileges to the system. Someone developing an exploit for this vulnerability is very likely since it wouldn't be terribly difficult. However, this one doesn't result in remote code execution so there are bigger fish to fry.


MS13-051 (KB2839571)


Office Buffer Overflow Vulnerability


Microsoft Office 2003 SP3 and/or Microsoft for Mac 2011 users should pay particularly close attention to this vulnerability since an attacker could specially craft an office document that could potentially allow remote code execution conditions. This includes a user viewing a specially crafted email message in Outlook. This vulnerability could especially be risky for those users who always login under an administrator privilege account since this exploit could be used for escalated privileges.

On that note, its best to use the Least-Privileged User Account (LUA) approach to alleviate some of these risks. Additionally, if you're a Mac Office user, don't forget to update too. When the security updates come available, Mac users can update Office by selecting "Software Update..." in the operating system. As always, Windows users can download these updates from the Microsoft Download Center or simply ensure that the automatic security update feature is enabled.

That's all folks. Thanks again for listening. Hopefully, you've enjoyed this one and you will look forward to another exciting patch Tuesday release for next month.

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More