Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, March 2013 – Happy St. Patch-rick's Day!

Saint Patrick's day is quickly becoming Saint Patrick'sweek. Some cities have scheduled their parade a week earlier than the actualday, which I guess means an extended period of green beer. Hopefully the luckof Irish is with you this month as Microsoft rolls out seven bulletins that mayimpact your systems. If they attackers get lucky they could end up executearbitrary remote code so grab your lucky charm and apply these patches as soonas you can so you go grab some of that green beer before it is all gone.

MS13-021 (KB2809289)


Remote Code Execution in Internet Explorer

CVE-2013-0087 CVE-2013-0088 CVE-2013-0089 CVE-2013-0090
CVE-2013-0091 CVE-2013-0092 CVE-2013-0093 CVE-2013-0094

This bulletin covers nine CVE's, which isn't as many snakesas St. Patrick drive out of Ireland but is still quite a lot. Eight of thesewhere reported privately to Microsoft but one of them, and we suspect the onethat is out of CVE numerical order, was publicly disclosed. As we suspected last week all of them are useafter free vulnerabilities in various parts of Internet Explorer. Use afterFree has been pretty popular over the last few month and we suspect we will seemore of these in the near future. If a user views a specially crafted web pageit could result in remote code execution. Despite the public disclosure of oneof these CVEs they haven't been seen being exploited in the wild, yet. However,Microsoft does expect to see exploit code for some or all of these in the nearfuture.

MS13-022 (KB2814124)


Remote Code Execution in Silverlight


This is a NullPointer Dereference Vulnerability does not unfortunately point to a pot ofgold. This is something you usually seein Linux and not so often in Windows, at least not since the introduction offunction pointer encoding in XP SP2. This one could require a littlesocial engineering to exploit. By convincing a user to visit a website thathosts specially crafted content attackers could take advantage of this vulnerabilityto execute arbitrary code. This could come by way of a link in a spam email, anIM, a targeted phishing attack or even a watering hole attack on a compromisedwebsite. Both Mac and Windows versionsof Silverlight 5 are vulnerable, but not the current build 5.1.10411.0, whichalready addresses this vulnerability and is not impacted. Microsoft does expect exploit code to bedeveloped for this fairly soon so it is best to allow auto update to do itsthing and install the patch.

MS13-023 (KB2801261)


Remote Code Execution in Visio Viewer


Leprechauns like to play tricks and it looks like theytricked us here. Last week we thought this bulletin would be related toMS13-026 but it looks like the jokes on us as this one only impacts VisioViewer 2010. You may be offered this update even if you don't have Visio Viewerinstalled. The flaw here exists in a shared component with MS Office, thecomponent is present in Office so the update will be offered to all Officeusers even if they don't have Visio Viewer installed.

MS13-024 (KB2780176)


Elevation of Privilege in SharePoint

CVE-2013-0080 CVE-2013-0083 CVE-2013-0084 CVE-2013-0085

A four-leaf clover is considered pretty lucky but these fourCVEs are not. These four CVE's cover just about everything, from a CallbackFunction, XSS, Directory Traversal and even a good old fashioned BufferOverflow vulnerability. The most severeof which could allow an elevation of privilege if a user visits a targetedSharePoint site, but only if the user is running SharePoint 2010 SP1 orSharePoint Foundation 2010 SP1. Other versions of SharePoint do not appear to beimpacted.

MS13-025 (KB2816264)


Information Disclosure in OneNote


If you are running the latest version of OneNote, OneNote2013, or a really old version like 2003 or 2007 or even the WebAps 2010 versionyou don't need to worry about this bulletin but if you are running OneNote 2010SP1 32 or 64 bit then you will need this patch. If you don't install the patchan attacker could convince you to open a specially crafted OneNote file,perhaps one promising you a kiss since your Irish, causing a buffer sizevalidation issue and allowing them to read arbitrary data.

MS13-026 (KB2816264)


Information Disclosure in Outlook for Mac


You don't usually see Mac Office vulnerabilities bythemselves, which is why last week we thought this one might be related toMS13-023 in Visio, looks like we wrong on that one. This one impacts both MS Office for Mac 2008and 2011 and revolves around how Outlook for Mac loads specific content tags inan HTML5 email message. An attackercould use a specially crafted HTML email message to load content without userinteraction allowing an attacker to know that a specific email was read andthat the email account is valid. Afterapplying this update Outlook will ask a user if they are sure they want todownload external content. If you wantto be lucky make sure your horseshoe is pointed up so the luck doesn't run outwhile you install this update.

MS13-027 (KB2807986)


Elevation of Privilege in Kernel Mode Drivers

CVE-2013-1285 CVE-2013-1286 CVE-2013-1287

All three of these are USB descriptor vulnerabilities, whichif successfully exploited could result in an Elevation of Privilege for theattacker. The flaw exists in all supported versions of Windows from XP SP2 upto Server 2012. Since the problem existsin the USB drivers you could try to prevent users from using USB devices, whichthese days would probably mean taking away their keyboard and mouse. If a userdoes insert a USB device that can take advantage of this flaw it may sproutroots and grow just as St. Patrick's staff. It would be a lot easier to justapply this update. Microsoft does expectexploit code to be developed for this flaw pretty quickly, so again, apply theupdate.

Related SpiderLabs Blogs