Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, March 2013 – Happy St. Patch-rick's Day!

Saint Patrick's day is quickly becoming Saint Patrick's week. Some cities have scheduled their parade a week earlier than the actual day, which I guess means an extended period of green beer. Hopefully the luck of Irish is with you this month as Microsoft rolls out seven bulletins that may impact your systems. If they attackers get lucky they could end up execute arbitrary remote code so grab your lucky charm and apply these patches as soon as you can so you go grab some of that green beer before it is all gone.

MS13-021 (KB2809289)


Remote Code Execution in Internet Explorer

CVE-2013-0087 CVE-2013-0088 CVE-2013-0089 CVE-2013-0090
CVE-2013-0091 CVE-2013-0092 CVE-2013-0093 CVE-2013-0094

This bulletin covers nine CVE's, which isn't as many snakes as St. Patrick drive out of Ireland but is still quite a lot. Eight of these where reported privately to Microsoft but one of them, and we suspect the one that is out of CVE numerical order, was publicly disclosed. As we suspected last week all of them are use after free vulnerabilities in various parts of Internet Explorer. Use afterFree has been pretty popular over the last few month and we suspect we will see more of these in the near future. If a user views a specially crafted web page it could result in remote code execution. Despite the public disclosure of one of these CVEs they haven't been seen being exploited in the wild, yet. However,Microsoft does expect to see exploit code for some or all of these in the near future.

MS13-022 (KB2814124)


Remote Code Execution in Silverlight


This is a NullPointer Dereference Vulnerability does not unfortunately point to a pot of gold. This is something you usually see in Linux and not so often in Windows, at least not since the introduction of function pointer encoding in XP SP2. This one could require a little social engineering to exploit. By convincing a user to visit a website that hosts specially crafted content attackers could take advantage of this vulnerability to execute arbitrary code. This could come by way of a link in a spam email, anIM, a targeted phishing attack or even a watering hole attack on a compromised website. Both Mac and Windows versions of Silverlight 5 are vulnerable, but not the current build 5.1.10411.0, which already addresses this vulnerability and is not impacted. Microsoft does expect exploit code to be developed for this fairly soon so it is best to allow auto update to do its thing and install the patch.

MS13-023 (KB2801261)


Remote Code Execution in Visio Viewer


Leprechauns like to play tricks and it looks like they tricked us here. Last week we thought this bulletin would be related toMS13-026 but it looks like the jokes on us as this one only impacts VisioViewer 2010. You may be offered this update even if you don't have Visio Viewer installed. The flaw here exists in a shared component with MS Office, the component is present in Office so the update will be offered to all Office users even if they don't have Visio Viewer installed.

MS13-024 (KB2780176)


Elevation of Privilege in SharePoint

CVE-2013-0080 CVE-2013-0083 CVE-2013-0084 CVE-2013-0085

A four-leaf clover is considered pretty lucky but these fourCVEs are not. These four CVE's cover just about everything, from a CallbackFunction, XSS, Directory Traversal and even a good old fashioned BufferOverflow vulnerability. The most severe of which could allow an elevation of privilege if a user visits a targetedSharePoint site, but only if the user is running SharePoint 2010 SP1 orSharePoint Foundation 2010 SP1. Other versions of SharePoint do not appear to be impacted.

MS13-025 (KB2816264)


Information Disclosure in OneNote


If you are running the latest version of OneNote, OneNote2013, or a really old version like 2003 or 2007 or even the WebAps 2010 version you don't need to worry about this bulletin but if you are running OneNote 2010SP1 32 or 64 bit then you will need this patch. If you don't install the patch an attacker could convince you to open a specially crafted OneNote file, perhaps one promising you a kiss since your Irish, causing a buffer size validation issue and allowing them to read arbitrary data.

MS13-026 (KB2816264)


Information Disclosure in Outlook for Mac


You don't usually see Mac Office vulnerabilities by themselves, which is why last week we thought this one might be related toMS13-023 in Visio, looks like we wrong on that one. This one impacts both MS Office for Mac 2008and 2011 and revolves around how Outlook for Mac loads specific content tags in an HTML5 email message. An attacker could use a specially crafted HTML email message to load content without user interaction allowing an attacker to know that a specific email was read and that the email account is valid. After applying this update Outlook will ask a user if they are sure they want to download external content. If you want to be lucky make sure your horseshoe is pointed up so the luck doesn't run out while you install this update.

MS13-027 (KB2807986)


Elevation of Privilege in Kernel Mode Drivers

CVE-2013-1285 CVE-2013-1286 CVE-2013-1287

All three of these are USB descriptor vulnerabilities, which if successfully exploited could result in an Elevation of Privilege for the attacker. The flaw exists in all supported versions of Windows from XP SP2 up to Server 2012. Since the problem exists in the USB drivers you could try to prevent users from using USB devices, which these days would probably mean taking away their keyboard and mouse. If a user does insert a USB device that can take advantage of this flaw it may sprout roots and grow just as St. Patrick's staff. It would be a lot easier to just apply this update. Microsoft does expect exploit code to be developed for this flaw pretty quickly, so again, apply the update.

Latest SpiderLabs Blogs

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising

During an Advanced Continual Threat Hunt (ACTH) investigation that took place in early December 2023, Trustwave SpiderLabs discovered Ov3r_Stealer, an infostealer distributed using Facebook...

Read More