I keep hoping for an easy relaxing Patch Tuesday of say, only two or three bulletins but so far this year things haven't been so easy. So far this year we have Patch Tuesdays of seven, ten and seven bulletins, respectfully, and this month we have ten. (hmm, is there a pattern there?) Not only that we have a zero-day vulnerability in Internet Explorer to deal with. I long for months like September 2012 when there were but two bulletins but I should feel lucky that its not December 2010 or April 2011 when we had no less than seventeen bulletins. I'll take the ten and be happy.
This month there are only two critical patches, both covering remote code execution, both in Internet Explorer. The rest are all rated as Important and can be found in Windows, Lync, Publisher and Word. Bulletin Nine is in Windows Essentials, which is a product we haven't seen much of here on Patch Tuesday.
MS13-037 (KB2829530)
CRITICAL
Remote Code Execution in Internet Explorer
CVE-2013-0811 CVE-2013-1297 CVE-2013-1306 CVE-2013-1307CVE-2013-1308
CVE-2013-1309 CVE-2013-1310 CVE-2013-1311 CVE-2013-1312 CVE-2013-1313
CVE-2013-2551
Yup, that's eleven CVE's fixed in one bulletin. Nine of those are use-after-free vulnerabilities, which seem to be getting more and more popular lately. A use-after-free vulnerability happens when a program references memory that it has already freed up, this can unexpected behavior and in these cases results in a security issue. The ten this an information disclosure issue in the JSON array. JSON allows web apps to access data on database servers and is often used in place of XML. It is likely that many of these were discovered or at least became known during the PWN2OWN competition at the CanSecWest conference earlier this year. Of the ten CVEs Microsoft thinks that three of them should expect exploit to be written fairly quickly.
MS13-038 (KB2847204)
CRITICAL
Remote Code Execution in Internet Explorer
CVE-2013-1347
This is the zero-day that you have heard so much about. It only impacts Internet Explorer 8 and it is already being actively exploited. This is another use-after-free vulnerability that results in Remote Code Execution. Microsoft previously released a Fix It for this issue, however even if you have already applied the Fix It you should install this patch.
MS13-039 (KB2829254)
IMPORTANT
Denial of Service in HTTP.sys
CVE-2013-1305
HTTP.sys is a kernel mode driver that handles HTTP Internet traffic allowing multiple applications to pass traffic over the same port. However if an attacker sends a specially crafted HTTP packet to a Windows 2012 Server they could trigger an infinite loop in the HTTP protocol stack and cause a denial of service.
MS13-040 (KB2836440)
IMPORTANT
Authentication Bypass in .NET Framework
CVE-2013-1336 CVE-2013-1337
This bulletin patches two CVE's, the first is a spoofing vulnerability in the .NET framework. If a .NET application receives a specially crafted XML file an attacker could modify the contents of an XML file without invalidating the file's signature. The second deals with how .NET creates policy requirements for authentication when setting up endpoint authentication, which could allow a successful attack to copy information.
MS13-041 (KB2834695)
IMPORTANT
Remote Code Execution Lync
CVE-2013-1302
Lync, no, not Link, our intrepid hero from Legend of Zelda but Lync, Microsoft's instant messaging platform formally known as Microsoft Office Communicator contains a vulnerability that could allow an attacker to gain the same user rights as the logged-on user which would include remote code execution. Of course attacker would have to convince a user to view or share a specially crafted file, disguised as a presentation. However considering how willingly most people blindly click on random links this probably wouldn't be too hard todo. Thankfully developing the exploit code to take advantage of this flaw appears, to Microsoft at least, to be somewhat difficult.
MS13-042 (KB2830397)
IMPORTANT
Remote Code Execution in Microsoft Publisher
CVE-2013-1316CVE-2013-1317 CVE-2013-1318 CVE-2013-1319 CVE-2013-1320
CVE-2013-1321CVE-2013-1322 CVE-2013-1323 CVE-2013-1327 CVE-2013-1328
CVE-2013-1329
This is the second bulletin this month with eleven CVEs. Some of these are Buffer Overflows; others deal with Signed Integers, Pointer Handling, or Negative value Allocations. They all require a specially crafted Publisher file. You may be offered this update even if you don't have Publisher installed as the parts that are affected are also installed with any part of the Microsoft office Suite.
MS13-043 (KB2830399)
IMPORTANT
Remote Code Execution in Microsoft Word
CVE-2013-1335
One interesting thing to note here is that only Microsoft Word 2003 SP3 and Microsoft Word Viewer are listed as being impacted. The issue revolves around the way that Word parses content of some files. If you have configured Outlook to use Microsoft Word 2003 SP3 as an email reader you should pay close attention to this one. Using Word to read email in Outlook is not the default so you probably know if changed your system to do this. If you did then an attacker could send you a specially crafted RTF email message to exploit this vulnerability. Just like you shouldn't take candy from a stranger in this case don't open Word files from unknown sources.
MS13-044 (KB2834692)
IMPORTANT
Information Disclosure in Visio
CVE-2013-1301
Unlike MS13-043 that only impacted one version MS13-044impacts Visio 2003, 2007 and 2010. Again a specially crafted Visio file could allow an attacker to gain information about a system, information that could be used in a different attack. Like MS13-042 you may be offered this update even if you don't have Visio installed as the affected components are also installed with the Microsoft Office Suite. The issue here is with LibXML2 which is not only used by Visio but a host of other products including Trustwave's own open source ModSecurity. We wrote about this vulnerability back in April. If your product also uses LibXML2 you might want to check that you are not vulnerable to this issue as well.
MS13-045 (KB2813707)
IMPORTANT
Information Disclosure in Windows Essentials
CVE-2013-0096
Don't get confused between Windows Essentials and Windows Security Essentials. Windows Essentials contains free software shipped with Windows like Photo Gallery, Movie Maker, Mail and others. One of those others is Writer, which if opened via a specially crafted URL, could allow an attacker to override Windows Writer proxy settings and overwrite files accessible to the user on that system. Also note that if you have the older Windows Essentials 2011you will need to upgrade to Windows Essentials 2012 before you can apply this update. If for some reason you can't upgrade to 2012 you will want to disable the Windows Writer handler, search for Microsoft KB article 2813707 for the automated Fix It solution to disable this handler.
MS13-046 (KB2840221)
IMPORTANT
Elevation of Privilege in Kernel-Mode Drivers
CVE-2013-1332 CVE-2013-1333 CVE-2013-1334
To exploit this one an attacker must already be able to log into the system, then they need a specially crafted application that would result in increased privileges for the user. The issue lies in the Microsoft DirectX graphics kernel subsystem (dxgkrnl.sys), which improperly handles objects in memory. Note that you may be offered more than one update to fix this; you will need to install all of the updates to protect yourself from these vulnerabilities.
