Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, May 2013

I keep hoping for an easy relaxing Patch Tuesday of say, only two or three bulletins but so far this year things haven't been so easy. So far this year we have Patch Tuesdays of seven, ten and seven bulletins, respectfully, and this month we have ten. (hmm, is there a pattern there?) Not only that we have a zero-day vulnerability in Internet Explorer to deal with. I long for months like September 2012 when there were but two bulletins but I should feel lucky that its not December 2010 or April 2011 when we had no less than seventeen bulletins. I'll take the ten and be happy.

This month there are only two critical patches, both covering remote code execution, both in Internet Explorer. The rest are all rated as Important and can be found in Windows, Lync, Publisher and Word. Bulletin Nine is in Windows Essentials, which is a product we haven't seen much of here on Patch Tuesday.

MS13-037 (KB2829530)

CRITICAL

Remote Code Execution in Internet Explorer

CVE-2013-0811 CVE-2013-1297 CVE-2013-1306 CVE-2013-1307CVE-2013-1308
CVE-2013-1309 CVE-2013-1310 CVE-2013-1311 CVE-2013-1312 CVE-2013-1313
CVE-2013-2551

Yup, that's eleven CVE's fixed in one bulletin. Nine of those are use-after-free vulnerabilities, which seem to be getting more and more popular lately. A use-after-free vulnerability happens when a program references memory that it has already freed up, this can unexpected behavior and in these cases results in a security issue. The ten this an information disclosure issue in the JSON array. JSON allows web apps to access data on database servers and is often used in place of XML. It is likely that many of these were discovered or at least became known during the PWN2OWN competition at the CanSecWest conference earlier this year. Of the ten CVEs Microsoft thinks that three of them should expect exploit to be written fairly quickly.

MS13-038 (KB2847204)

CRITICAL

Remote Code Execution in Internet Explorer

CVE-2013-1347

This is the zero-day that you have heard so much about. It only impacts Internet Explorer 8 and it is already being actively exploited. This is another use-after-free vulnerability that results in Remote Code Execution. Microsoft previously released a Fix It for this issue, however even if you have already applied the Fix It you should install this patch.

MS13-039 (KB2829254)

IMPORTANT

Denial of Service in HTTP.sys

CVE-2013-1305

HTTP.sys is a kernel mode driver that handles HTTP Internet traffic allowing multiple applications to pass traffic over the same port. However if an attacker sends a specially crafted HTTP packet to a Windows 2012 Server they could trigger an infinite loop in the HTTP protocol stack and cause a denial of service.

MS13-040 (KB2836440)

IMPORTANT

Authentication Bypass in .NET Framework

CVE-2013-1336 CVE-2013-1337

This bulletin patches two CVE's, the first is a spoofing vulnerability in the .NET framework. If a .NET application receives a specially crafted XML file an attacker could modify the contents of an XML file without invalidating the file's signature. The second deals with how .NET creates policy requirements for authentication when setting up endpoint authentication, which could allow a successful attack to copy information.

MS13-041 (KB2834695)

IMPORTANT

Remote Code Execution Lync

CVE-2013-1302

Lync, no, not Link, our intrepid hero from Legend of Zelda but Lync, Microsoft's instant messaging platform formally known as Microsoft Office Communicator contains a vulnerability that could allow an attacker to gain the same user rights as the logged-on user which would include remote code execution. Of course attacker would have to convince a user to view or share a specially crafted file, disguised as a presentation. However considering how willingly most people blindly click on random links this probably wouldn't be too hard todo. Thankfully developing the exploit code to take advantage of this flaw appears, to Microsoft at least, to be somewhat difficult.

MS13-042 (KB2830397)

IMPORTANT

Remote Code Execution in Microsoft Publisher

CVE-2013-1316CVE-2013-1317 CVE-2013-1318 CVE-2013-1319 CVE-2013-1320
CVE-2013-1321CVE-2013-1322 CVE-2013-1323 CVE-2013-1327 CVE-2013-1328
CVE-2013-1329

This is the second bulletin this month with eleven CVEs. Some of these are Buffer Overflows; others deal with Signed Integers, Pointer Handling, or Negative value Allocations. They all require a specially crafted Publisher file. You may be offered this update even if you don't have Publisher installed as the parts that are affected are also installed with any part of the Microsoft office Suite.

MS13-043 (KB2830399)

IMPORTANT

Remote Code Execution in Microsoft Word

CVE-2013-1335

One interesting thing to note here is that only Microsoft Word 2003 SP3 and Microsoft Word Viewer are listed as being impacted. The issue revolves around the way that Word parses content of some files. If you have configured Outlook to use Microsoft Word 2003 SP3 as an email reader you should pay close attention to this one. Using Word to read email in Outlook is not the default so you probably know if changed your system to do this. If you did then an attacker could send you a specially crafted RTF email message to exploit this vulnerability. Just like you shouldn't take candy from a stranger in this case don't open Word files from unknown sources.

MS13-044 (KB2834692)

IMPORTANT

Information Disclosure in Visio

CVE-2013-1301

Unlike MS13-043 that only impacted one version MS13-044impacts Visio 2003, 2007 and 2010. Again a specially crafted Visio file could allow an attacker to gain information about a system, information that could be used in a different attack. Like MS13-042 you may be offered this update even if you don't have Visio installed as the affected components are also installed with the Microsoft Office Suite. The issue here is with LibXML2 which is not only used by Visio but a host of other products including Trustwave's own open source ModSecurity. We wrote about this vulnerability back in April. If your product also uses LibXML2 you might want to check that you are not vulnerable to this issue as well.

MS13-045 (KB2813707)

IMPORTANT

Information Disclosure in Windows Essentials

CVE-2013-0096

Don't get confused between Windows Essentials and Windows Security Essentials. Windows Essentials contains free software shipped with Windows like Photo Gallery, Movie Maker, Mail and others. One of those others is Writer, which if opened via a specially crafted URL, could allow an attacker to override Windows Writer proxy settings and overwrite files accessible to the user on that system. Also note that if you have the older Windows Essentials 2011you will need to upgrade to Windows Essentials 2012 before you can apply this update. If for some reason you can't upgrade to 2012 you will want to disable the Windows Writer handler, search for Microsoft KB article 2813707 for the automated Fix It solution to disable this handler.

MS13-046 (KB2840221)

IMPORTANT

Elevation of Privilege in Kernel-Mode Drivers

CVE-2013-1332 CVE-2013-1333 CVE-2013-1334

To exploit this one an attacker must already be able to log into the system, then they need a specially crafted application that would result in increased privileges for the user. The issue lies in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys), which improperly handles objects in memory. Note that you may be offered more than one update to fix this; you will need to install all of the updates to protect yourself from these vulnerabilities.

Latest SpiderLabs Blogs

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More

Facebook Malvertising Epidemic – Unraveling a Persistent Threat: SYS01

The Trustwave SpiderLabs Threat Intelligence team's ongoing study into how threat actors use Facebook for malicious activity has uncovered a new version of the SYS01 stealer. This stealer is designed...

Read More