Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, October 2013

Here in Philadelphia this month the localweather people are calling it "Aug-tober" due to the rather warm temperatures that have continued well into October. This month's Patch Tuesday, however, is nothing like August at all. For one, Trustwave SpiderLabs found one of the zero-days discussed in this batch of bulletins (we have a separate write up for that one here). In addition, four of thebulletins this month are critical and seven of them result in remote codeexecution! With anyluck we will have "Aug-vember" weather-wise, but hopefully we won't experience a repeat of October's PatchTuesday.

MS13-080 (KB2879017)

CRITICAL

Remote Code Execution in Internet Explorer

CVE-2013-3872 CVE-2013-3873CVE-2013-3874
CVE-2013-3875 CVE-2013-3882 CVE-2013-3885CVE-2013-3886
CVE-2013-3893 CVE-2013-3897

This is the biggie that everyone has beenworried about that was first announced last month and for which Microsoftissued a FixIt. The good thing is thatif you already applied the Fix It you do not need to undo the changes beforeapplying this update. The issue with allten of these vulnerabilities has to do with how Internet Explorer handlesobjects in memory; if items in memory get corrupted in a certain way anattacker could cause that corruption to execute arbitrary code. There are nine vulnerabilities covered in this bulletin, which impact all versions of InternetExplorer from 6 through 11. Some of these vulnerabilities could allow remotecode execution if a user views a specially crafted webpage. Getting someone toview a 'specially crafted webpage' is a lot easier than it sounds and is oftenaccomplished by sending someone a simple email with a link in it.

Attackers are already using some ofthese vulnerabilities to compromise victim machines. In fact, Trustwave SpiderLabs found bad guys exploitingboth CVE-2013-3879and CVE-2013-3897. We have a separate write up for these two CVE's here, or check Microsoft's write up here.

 

MS13-081 (KB2870008)

CRITICAL

Remote Code Execution in Kernel-Mode Drivers

CVE-2013-3128 CVE-2013-3200 CVE-2013-3879 CVE-2013-3880
CVE-2013-3881 CVE-2013-3888 CVE-2013-3894

While this bulletin is also rated critical ithasn't yet been seen in the wild being used to attack people, yet. Microsoftdoes think this one would be pretty easy to exploit and by the time you read thisbad guys are probably already working on trying to figure out how to do justthat. While the issue here is with the cryptically named "kernel-mode drivers," you may be more familiar with OpenType or TrueType fonts. The flaws here impactall supported releases of Microsoft Windows exceptWindows 8.1, Windows Server 2012 R2, and Windows RT 8.1. While some of theseCVEs only result in privilege escalation other CVEs in this bulletin willresult in remote code execution. There are a few unusual cases where you maynot see this update being offered in Windows Update depending on yourparticular system configuration. If this concerns you check the KB article (KB2870008) formore information. Note that CVE-2013-3128 is listed both here and in MS13-082because it also impacts the .NET Framework.

 

MS13-082 (KB2878890)

CRITICAL

Remote Code Execution in .NET Framework

CVE-2013-3128 CVE-2013-3860 CVE-2013-3861

This one is similar to MS13-081 as one of theCVEs, CVE-2013-3128, also deals with malformed OpenType fonts - only this timethe issue is in the .Net Framework and not in the kernel mode drivers. Theother two CVEs deal with XML digital signatures and document type definitionsin JSON data encodings and are rated Important as opposed to Critical. The goodnews is that exploiting any of these three would be rather difficult, though notimpossible, but don't expect the bad guys to take advantage of these any timesoon.

 

MS13-083 (KB2864058)

CRITICAL

Remote Code Execution in Windows Common ControlLibrary

CVE-2013-3195

COMCTL32.DLL implements a wide variety of standard Windows controls, suchas File Open, Save, and Save As dialogs, progress bars, and list views.However, if an attacker sends a specially crafted web request to an ASP.NET webapplication running on an affected system they could be able to run arbitrarycode without authentication. The good thing here, if there is a good thing isthat this only impacts 64-bit versions of Windows. So there's one less patch todownload and install for all those desktops running 32-bit Vista or Windows 7or 8, or, heaven forbid, still on XP SP3! But if you have servers or desktopsthat have been updated to 64-bit you will definitely need to install thispatch.

 

MS13-084 (KB2885089)

IMPORTANT

Remote Code Execution in Sharepoint Server

CVE-2013-3889 CVE-2013-3895

While this bulletin impacts Sharepoint, CVE-2013-3889 is actually listed in two bulletins - MS13-084 and MS13-085. Since exploiting this vulnerability involves using Microsoft Excel tocorrupt memory used by Sharepoint it is listed in two different bulletins tofix both products. The update helps to validate data when parsing speciallycrafted Office files and helps to change the configuration of SharePoint pagesto help provide additional protection against click-jacking attacks. While thisattack has not yet been observed in the wild, it's expected to be real soon now.

 

MS13-085 (KB2885080)

IMPORTANT

Remote Code Execution in Microsoft Excel

CVE-2013-3889CVE-2013-3890

This bulletin fixes CVE-2013-3889 asmentioned in the previous update and also addresses CVE-2013-3890. Both vulnerabilities could allow anattacker to take complete control of a system with a specially crafted Excelfile. This patch should be applied toall supported version of Excel (except 2003 SP3), Microsoft Office Compatibility Pack, as well as, Microsoft Officefor Mac 2011 so Mac users should check for updates as well.

 

MS13-086 (KB2885084)

IMPORTANT

Remote Code Execution in Microsoft Word

CVE-2013-3891CVE-2013-3892

These are both memory corruptionvulnerabilities that can be found in specially crafted Microsoft Word files.The update fixes the vulnerabilities by correcting the way that Microsoft Wordparses specially crafted files and by correcting the manner in which the XMLparser used by Word resolves external entities within a specially crafted file.

 

MS13-087 (KB2890788)

IMPORTANT

Information Disclosure in Silverlight

CVE-2013-3896

If an attacker can convince a user to view awebsite that contains a specially crafted Silverlight application that isdesigned to exploit this vulnerability, perhaps via a targeted phishing email,then the attacker may be able to learn confidential information about the user.The update fixes how Microsoft Silverlight checks memory pointers whenaccessing certain Silverlight elements.

Now install those patches as soon as you can and maybe you can get out and enjoy some Aug-tober while it lasts!

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More