Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, May 2013

I keep hoping for an easy relaxing Patch Tuesday of say,only two or three bulletins but so far this year things haven't been so easy.So far this year we have Patch Tuesdays of seven, ten and seven bulletins,respectfully, and this month we have ten. (hmm, is there a pattern there?) Not only that we have a zero-dayvulnerability in Internet Explorer to deal with. I long for months likeSeptember 2012 when there were but two bulletins but I should feel lucky thatits not December 2010 or April 2011 when we had no less than seventeenbulletins. I'll take the ten and be happy.

This month there are only two critical patches, bothcovering remote code execution, both in Internet Explorer. The rest are allrated as Important and can be found in Windows, Lync, Publisher and Word.Bulletin Nine is in Windows Essentials, which is a product we haven't seen muchof here on Patch Tuesday.

MS13-037 (KB2829530)


Remote Code Execution in Internet Explorer

CVE-2013-0811 CVE-2013-1297 CVE-2013-1306 CVE-2013-1307CVE-2013-1308
CVE-2013-1309 CVE-2013-1310 CVE-2013-1311 CVE-2013-1312 CVE-2013-1313

Yup, that's eleven CVE's fixedin one bulletin. Nine of those are use-after-free vulnerabilities, which seemto be getting more and more popular lately. A use-after-free vulnerability happens when a program references memorythat it has already freed up, this can unexpected behavior and in these casesresults in a security issue. The tenthis an information disclosure issue in the JSON array. JSON allows web apps toaccess data on database servers and is often used in place of XML. It is likely that many of these werediscovered or at least became known during the PWN2OWN competition at theCanSecWest conference earlier this year. Of the ten CVEs Microsoft thinks thatthree of them should expect exploit to be written fairly quickly.

MS13-038 (KB2847204)


Remote Code Execution in Internet Explorer


This is the zero-day that you have heard so much about. Itonly impacts Internet Explorer 8 and it is already being actively exploited.This is another use-after-free vulnerability that results in Remote CodeExecution. Microsoft previously releaseda Fix It for this issue, however even if you have already applied the Fix Ityou should install this patch.

MS13-039 (KB2829254)


Denial of Service in HTTP.sys


HTTP.sys is a kernel mode driver that handles HTTP Internettraffic allowing multiple applications to pass traffic over the same port. However if an attacker sends a speciallycrafted HTTP packet to a Windows 2012 Server they could trigger an infiniteloop in the HTTP protocol stack and cause a denial of service.

MS13-040 (KB2836440)


Authentication Bypass in .NET Framework

CVE-2013-1336 CVE-2013-1337

This bulletin patches two CVE's, the first is a spoofingvulnerability in the .NET framework. If a .NET application receives a speciallycrafted XML file an attacker could modify the contents of an XML file withoutinvalidating the file's signature. The second deals with how .NET createspolicy requirements for authentication when setting up endpoint authentication,which could allow a successful attack to copy information.

MS13-041 (KB2834695)


Remote Code Execution Lync


Lync, no, not Link, our intrepid herofrom Legend of Zelda but Lync, Microsoft's instant messaging platform formallyknown as Microsoft Office Communicator contains a vulnerability that couldallow an attacker to gain the same user rights as the logged-on user whichwould include remote code execution. Ofcourse attacker would have to convince a user to view or share a speciallycrafted file, disguised as a presentation. However considering how willinglymost people blindly click on random links this probably wouldn't be too hard todo. Thankfully developing the exploitcode to take advantage of this flaw appears, to Microsoft at least, to besomewhat difficult.

MS13-042 (KB2830397)


Remote Code Execution in MicrosoftPublisher

CVE-2013-1316CVE-2013-1317 CVE-2013-1318 CVE-2013-1319 CVE-2013-1320
CVE-2013-1321CVE-2013-1322 CVE-2013-1323 CVE-2013-1327 CVE-2013-1328

This is the second bulletin this month with eleven CVEs. Some of these are Buffer Overflows; othersdeal with Signed Integers, Pointer Handling, or Negative value Allocations.They all require a specially crafted Publisher file. You may be offered this update even if youdon't have Publisher installed as the parts that are affected are alsoinstalled with any part of the Microsoft office Suite.

MS13-043 (KB2830399)


Remote Code Execution in Microsoft Word


One interesting thing to note here is that only MicrosoftWord 2003 SP3 and Microsoft Word Viewer are listed as being impacted. The issuerevolves around the way that Word parses content of some files. If you have configured Outlook to useMicrosoft Word 2003 SP3 as an email reader you should pay close attention tothis one. Using Word to read email in Outlook is not the default so youprobably know if changed your system to do this. If you did then an attackercould send you a specially crafted RTF email message to exploit thisvulnerability. Just like you shouldn't take candy from a stranger in this casedon't open Word files from unknown sources.

MS13-044 (KB2834692)


Information Disclosure in Visio


Unlike MS13-043 that only impacted one version MS13-044impacts Visio 2003, 2007 and 2010. Again a specially crafted Visio file couldallow an attacker to gain information about a system, information that could beused in a different attack. Like MS13-042 you may be offered this update evenif you don't have Visio installed as the affected components are also installedwith the Microsoft Office Suite. The issue here is with LibXML2 which is not only used by Visio but a host of other products including Trustwave's own open source ModSecurity. We wrote about this vulnerabilty back in April. If your product also uses LibXML2 you might want to check that you are not vulnerable to this issue as well.

MS13-045 (KB2813707)


Information Disclosure in WindowsEssentials


Don't get confused between Windows Essentials and WindowsSecurity Essentials. Windows Essentials contains free software shipped withWindows like Photo Gallery, Movie Maker, Mail and others. One of those othersis Writer, which if opened via a specially crafted URL, could allow an attackerto override Windows Writer proxy settings and overwrite files accessible to theuser on that system. Also note that if you have the older Windows Essentials 2011you will need to upgrade to Windows Essentials 2012 before you can apply thisupdate. If for some reason you can't upgrade to 2012 you will want to disablethe Windows Writer handler, search for Microsoft KB article 2813707 for the automatedFix It solution to disable this handler.

MS13-046 (KB2840221)


Elevation of Privilege in Kernel-ModeDrivers

CVE-2013-1332 CVE-2013-1333 CVE-2013-1334

To exploit this one an attacker must already be able to loginto the system, then they need a specially crafted application that wouldresult in increased privileges for the user. The issue lies in the Microsoft DirectXgraphics kernel subsystem (dxgkrnl.sys), which improperly handles objects inmemory. Note that you may be offered more than one update to fix this; you willneed to install all of the updates to protect yourself from thesevulnerabilities.

Related SpiderLabs Blogs