Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Microsoft Patch Tuesday, October 2013

Here in Philadelphia this month the localweather people are calling it "Aug-tober" due to the rather warm temperatures that have continued well into October. This month's Patch Tuesday, however, is nothing like August at all. For one, Trustwave SpiderLabs found one of the zero-days discussed in this batch of bulletins (we have a separate write up for that one here). In addition, four of thebulletins this month are critical and seven of them result in remote codeexecution! With anyluck we will have "Aug-vember" weather-wise, but hopefully we won't experience a repeat of October's PatchTuesday.

MS13-080 (KB2879017)


Remote Code Execution in Internet Explorer

CVE-2013-3872 CVE-2013-3873CVE-2013-3874
CVE-2013-3875 CVE-2013-3882 CVE-2013-3885CVE-2013-3886
CVE-2013-3893 CVE-2013-3897

This is the biggie that everyone has beenworried about that was first announced last month and for which Microsoftissued a FixIt. The good thing is thatif you already applied the Fix It you do not need to undo the changes beforeapplying this update. The issue with allten of these vulnerabilities has to do with how Internet Explorer handlesobjects in memory; if items in memory get corrupted in a certain way anattacker could cause that corruption to execute arbitrary code. There are nine vulnerabilities covered in this bulletin, which impact all versions of InternetExplorer from 6 through 11. Some of these vulnerabilities could allow remotecode execution if a user views a specially crafted webpage. Getting someone toview a 'specially crafted webpage' is a lot easier than it sounds and is oftenaccomplished by sending someone a simple email with a link in it.

Attackers are already using some ofthese vulnerabilities to compromise victim machines. In fact, Trustwave SpiderLabs found bad guys exploitingboth CVE-2013-3879and CVE-2013-3897. We have a separate write up for these two CVE's here, or check Microsoft's write up here.

MS13-081 (KB2870008)


Remote Code Execution in Kernel-Mode Drivers

CVE-2013-3128 CVE-2013-3200 CVE-2013-3879 CVE-2013-3880
CVE-2013-3881 CVE-2013-3888 CVE-2013-3894

While this bulletin is also rated critical ithasn't yet been seen in the wild being used to attack people, yet. Microsoftdoes think this one would be pretty easy to exploit and by the time you read thisbad guys are probably already working on trying to figure out how to do justthat. While the issue here is with the cryptically named "kernel-mode drivers," you may be more familiar with OpenType or TrueType fonts. The flaws here impactall supported releases of Microsoft Windows exceptWindows 8.1, Windows Server 2012 R2, and Windows RT 8.1. While some of theseCVEs only result in privilege escalation other CVEs in this bulletin willresult in remote code execution. There are a few unusual cases where you maynot see this update being offered in Windows Update depending on yourparticular system configuration. If this concerns you check the KB article (KB2870008) formore information. Note that CVE-2013-3128 is listed both here and in MS13-082because it also impacts the .NET Framework.

MS13-082 (KB2878890)


Remote Code Execution in .NET Framework

CVE-2013-3128 CVE-2013-3860 CVE-2013-3861

This one is similar to MS13-081 as one of theCVEs, CVE-2013-3128, also deals with malformed OpenType fonts - only this timethe issue is in the .Net Framework and not in the kernel mode drivers. Theother two CVEs deal with XML digital signatures and document type definitionsin JSON data encodings and are rated Important as opposed to Critical. The goodnews is that exploiting any of these three would be rather difficult, though notimpossible, but don't expect the bad guys to take advantage of these any timesoon.

MS13-083 (KB2864058)


Remote Code Execution in Windows Common ControlLibrary


COMCTL32.DLL implements a wide variety of standard Windows controls, suchas File Open, Save, and Save As dialogs, progress bars, and list views.However, if an attacker sends a specially crafted web request to an ASP.NET webapplication running on an affected system they could be able to run arbitrarycode without authentication. The good thing here, if there is a good thing isthat this only impacts 64-bit versions of Windows. So there's one less patch todownload and install for all those desktops running 32-bit Vista or Windows 7or 8, or, heaven forbid, still on XP SP3! But if you have servers or desktopsthat have been updated to 64-bit you will definitely need to install thispatch.

MS13-084 (KB2885089)


Remote Code Execution in Sharepoint Server

CVE-2013-3889 CVE-2013-3895

While this bulletin impacts Sharepoint, CVE-2013-3889 is actually listed in two bulletins - MS13-084 and MS13-085. Since exploiting this vulnerability involves using Microsoft Excel tocorrupt memory used by Sharepoint it is listed in two different bulletins tofix both products. The update helps to validate data when parsing speciallycrafted Office files and helps to change the configuration of SharePoint pagesto help provide additional protection against click-jacking attacks. While thisattack has not yet been observed in the wild, it's expected to be real soon now.

MS13-085 (KB2885080)


Remote Code Execution in Microsoft Excel


This bulletin fixes CVE-2013-3889 asmentioned in the previous update and also addresses CVE-2013-3890. Both vulnerabilities could allow anattacker to take complete control of a system with a specially crafted Excelfile. This patch should be applied toall supported version of Excel (except 2003 SP3), Microsoft Office Compatibility Pack, as well as, Microsoft Officefor Mac 2011 so Mac users should check for updates as well.

MS13-086 (KB2885084)


Remote Code Execution in Microsoft Word


These are both memory corruptionvulnerabilities that can be found in specially crafted Microsoft Word files.The update fixes the vulnerabilities by correcting the way that Microsoft Wordparses specially crafted files and by correcting the manner in which the XMLparser used by Word resolves external entities within a specially crafted file.

MS13-087 (KB2890788)


Information Disclosure in Silverlight


If an attacker can convince a user to view awebsite that contains a specially crafted Silverlight application that isdesigned to exploit this vulnerability, perhaps via a targeted phishing email,then the attacker may be able to learn confidential information about the user.The update fixes how Microsoft Silverlight checks memory pointers whenaccessing certain Silverlight elements.

Now install those patches as soon as you can and maybe you can get out and enjoy some Aug-tober while it lasts!

Related SpiderLabs Blogs