Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Trustwave Unveils New Offerings to Maximize Value of Microsoft Security Investments. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, November 2013

Most of us thought this would be an easymonth with only eight bulletins to deal with and only three listed as critical. Unfortunately, there is evidence of one vulnerability mentioned in those bulletins being activelyexploited in the wild and a second zero-day, which isn't even covered in this month's bulletins, being used by badguys.

What has become known as the TIFF zero-day detailed in SecurityAdvisory 2896666 was not patched this month. Microsoft releaseda Fix-It to help mitigate this actively exploited vulnerability. An actual patchfor it will be out as soon as it is ready and will probably be an out-of-band patch that willcome out well before December's Patch Tuesday.

The second zero-day was found just days ago, and it is also being actively exploited in the wild. However in this caseMicrosoft was able to include a full patch in this month's batch of bulletins.You can read about it as MS13-090 down below.

MS13-088 (KB288505)


Remote CodeExecution in Internet Explorer

CVE-2013-3871 CVE-2013-3871 CVE-2013-3908 CVE-2013-3910CVE-2013-3911

CVE-2013-3914 CVE-2013-3915 CVE-2013-3916 CVE-2013-3917

The patch is offered as a cumulative security update for InternetExplorer and fixes ten privately reported vulnerabilities--the most severe ofwhich could allow remote code execution if a user visits a specifically craftedwebpage. The update is critical for all currently supported versions ofInternet Explorer including Internet Explorer 8.1, 11 and RT Preview editions.The update fixes how Internet Explorer handles special characters in cascadingstyle sheets, print previews and objects in memory. While none of these issueshave yet been seen exploited in the wild, Microsoft does expect exploit codeto be produced rather soon.


MS13-089 (KB2876331)


Remote CodeExecution in Graphics Device Interface


You don't see vulnerabilities involving Word Padevery day and definitely not critical ones that can result in remote codeexecution. The problem lies with how the Graphics Device Interface handlesinteger calculations when processing image files. So if an attacker can get youto open a specially crafted Windows Write File in Word Pad they can run theirown code, which can lead to all sorts of nasty things. While an exploit using this vulnerability hasnot yet been seen in the wild, it shouldn't be too difficult to write one. So getthose patches applied as soon as you can.


MS13-090 (KB2900986)


Remote CodeExecution in Active X Kill Bits


This one is already being actively exploitedin the wild. It was first discovered by FireEye a few days ago. Do not confuse this patch for the Active X kill bits zero-day with the patch for the zero-day that impacts TIFF files. The patch for the TIFF file zero-day should be available soon.

Viewing a specially crafted webpage with Internet Explorer that instigates the InformationCardSigninHelperClass ActiveX control (icardie.dll) could execute arbitrary code remotely. Thispatch addresses the vulnerability by setting kill bits so that the vulnerablecontrol does not run in Internet Explorer.


MS13-091 (KB2885093)


Remote CodeExecution in Microsoft Office

CVE-2013-0082 CVE-2013-1324 CVE-2013-1325

Remember Word Perfect? Well, if a speciallycrafted Word Perfect file is opened in Microsoft Office it could result inremote code execution. This patch is available for Microsoft Office 2003, 2007,2010, 2013, and 2013. One good thing is that this vulnerability cannot beexploited automatically through email. For an attack to be successful, a usermust open an attachment that is sent in an email message. Attackers generallyfind it fairly easy to get users to open attachments. Alternatively an attackercould host the file on a website and then try to get someone to download andopen it from there. Which, again, isn't usually all that difficult.


MS13-092 (KB2893986)


Elevation ofPrivilege in Hyper-V


Hyper-V is a native hypervisor that enablesplatform virtualization on x86-64 systems. If an attacker successfully passes aspecially crafted function parameter in a hypercall from an existing, runningvirtual machine to the hypervisor, they could cause a denial of service or elevation of privileges. The security update addresses the vulnerability byensuring that Hyper-V properly sanitizes user input.


MS13-093 (KB2875783)


InformationDisclosure in Windows Ancillary Function Driver


The Windows Ancillary Function Driver is usedby the WinSock networking stack to implement certain functionality. If anattacker logs on to an affected system as a local user and runs a speciallycrafted application on the system, they could obtain information from ahigher-privileged account. About the only good thing about this vulnerabilityis that it only impacts 64-bit versions of the Windows OS including WindowsXP, Server 2003, Vista, Server 2008, 7, Server 2008 R2, 8 and Server 2012. Thesecurity update addresses the vulnerability by correcting how Windows copiesdata from kernel memory to user memory.


MS13-094 (KB2894514)


InformationDisclosure in Microsoft Outlook


This one is a little tricky and as suchMicrosoft does not expect exploit code to be written to take advantage of thisanytime soon. Regardless users ought to install this patch. If an attackercan get a user to open or preview a specially crafted S/MIME email message, they could ascertain the IP address and openTCP ports of the target system and connected systems. That might not sound likea big deal unless you are the attacker who could use such information to launch additional attacks. This issue is present in Microsoft Outlook2007, 2010, 2013 and 2013 RT.


MS13-095 (KB2868626)


Denial ofService in Digital Signatures


X.509 certificateshelp manage public keys through a Public Key Infrastructure (PKI). This vulnerabilitycould allow denial of service when the X.509 certificate validation operationfails to properly handle a specially crafted X.509 certificate. There are nomitigations or workarounds available for this one so if you want to make sureyou are protected you don't have any choice but to install the patch.


Latest SpiderLabs Blogs

Search & Spoof: Abuse of Windows Search to Redirect to Malware

Trustwave SpiderLabs has detected a sophisticated malware campaign that leverages the Windows search functionality embedded in HTML code to deploy malware. We found the threat actors utilizing a...

Read More

The Sentinel’s Watch: Building a Security Reporting Framework

Imagine being on shift as the guard of a fortress. Your job is to identify threats as they approach the perimeter. The more methods you have for detecting those threats, the better your chances of...

Read More

Fake Advanced IP Scanner Installer Delivers Dangerous CobaltStrike Backdoor

During a recent client investigation, Trustwave SpiderLabs found a malicious version of the Advanced IP Scanner installer, which contained a backdoored DLL module. Our client had been searching for...

Read More