Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Trustwave SpiderLabs Uncovers Ov3r_Stealer Malware Spread via Phishing and Facebook Advertising. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

Microsoft Patch Tuesday, September 2013

In Chicago, it's been a roller coaster of a summer with cold weather to now steaming hot. Fortunately, the weather held out for last weekend Trustwave summer outing which was held at Six Flags Great America in Gurnee, Illinois. For those who have attended this amusement park, there are plenty of thrills with the Raging Bull, X-flight and Giant Drop.  However, the thrill factor doesn't come close to the September Microsoft patch Tuesday release [especially if you are an IT administrator]. For this month's patch Tuesday, Microsoft has acknowledged thirteen (13) bulletins with four having a critical severity and eight of the bulletins allowing remote code execution conditions. One of the bulletins was pulled from the advance notification, but the thrill factor is still to the ceiling with a majority of bulletins affecting common Microsoft products (IE, Outlook, Office) and there is a good possibility that exploit code will be available for several of the critical bulletins soon. 

For this patch Tuesday, we will explore each of these beasts. Feel free to join us for this extreme ride. Secure your safety bar because this patch Tuesday will have its steep downfalls, its twists-n-turns and it could be a bumpy ride.

MS13-067 (KB2834052)

CRITICAL

Remote Code Execution in SharePoint Server

Like most individuals fearing the Top Thrill Dragster for its speed, administrators should fear MS13-073 based on the MAC Disabled vulnerability (CVE-2013-1330) in SharePoint Server.  This vulnerability will be very attractive to attackers based on its ability for remote code execution and also creating denial of service conditions on a server that may store confidential information. Among these ten (10) CVEs included in this bulletin, many of these are related to MS13-072 and MS13-073.  More information about these vulnerabilities will be provided down the road.  Until then, let the suspense continue [dun dun dun dun...].

8783_39e473b4-7be5-47c8-ae97-ea97d8a46f2e
Top Thrill Dragster - Sandusky, Ohio



MS13-068 (KB2756473)

CRITICAL

Remote Code Execution in Outlook

This bulletin only contains a single CVE but this one definitely packs a punch.  This is the scariest bulletin of them all; sort of like the Kingda Ka, which is the tallest and one of the steepest roller coasters. You better hold on real tight for this one. If an exploit becomes available for this vulnerability, it would be real nasty for those who are affected and remained un-patched. The security flaw is based on how Microsoft Outlook handles certain specially crafted S/MIME (Secure/Multipurpose Internet Mail Extension) email messages. Essentially, an attacker could launch a spam campaign that would infect those who either open or preview the message in Outlook. Yes, this is extremely frightful. Those who have Microsoft Outlook 2007 (service pack 3) or Microsoft Outlook 2010 (service pack 1 & 2) need to ensure your patched ASAP. However, those with Outlook 2013 will have nothing to fear.

BSL_12276_e2f4fd2d-fdfd-41f0-bf3e-2187587a03b5
Kingda Ka - Jackson, New Jersey



MS13-069 (KB2870699)

CRITICAL

Memory Corruption Vulnerabilities in IE

This bulletin can get your heart pumping sort of like the gut-wrenching 97-degree negative drop on the Fahrenheit coaster. Since February 2013, all the MAPP Tuesday release included a bulletin with at least one Internet Explorer memory corruption vulnerability. In this release, there is a total of ten (10) CVE's relating to these memory corruption issues with about half of these vulnerabilities being likely to have exploit code released within 30 days.  Make sure you keep your eyes open for spam campaigns that attempt to entice you to visit a specially crafted web page.  Currently, it appears that none of these vulnerabilities been included in an exploit kit quite yet.

8398_27875140-8856-4ce9-ba92-f43dc042a160
Fahrenheit - Hershey, Pennsylvania




MS13-070 (KB2876217)

CRITICAL

Remote Execution in OLE

I consider this bulletin the memory corruption of doom. The Object Linking and Embedding (OLE) framework is an essential API in Windows that allows creating and displaying a compound document, such as an image. For example, if you really liked the below Drop of Doom image and you would like to copy and paste it into Word; the OLE framework would be used during this process. This is one of the few bulletins where a remote code execution vulnerability is found in a essential component of Windows which makes this bulletin really intense. However, only legacy operating system versions are affected, such as Windows XP and Windows 2003 Server.

12594_f057b374-b015-4b72-93ed-fd2a1a48e933
Drop of Doom - Valencia, California

 

MS13-071 (2864063)

IMPORTANT

Remote Execution in Windows Theme File

The Colossus roller coaster may not be as extreme as Kingda Ka or the Top Thrill Dragster, but it still has its twists and turns. This bulletin only contains a single CVE but it may allow an attacker to remotely execute code with system privileges. Even if an attacker had working exploit code for this vulnerability, it would require the attacker to successfully social engineer a user to open a malicious Windows Theme file. Additionally, this vulnerability would only affect legacy operating systems, such as Windows XP, Windows Vista and Windows Server 2003/2008. This one is still important because you want to make sure your system is protected from the unknown.

11600_c131850d-6a70-4b51-ab88-30e0c6d6445c
Colossus - Surrey, U.K.




MS13-072 (KB2845537) 

IMPORTANT

Remote Execution in Microsoft Office

This is a roller coaster that has a gut-wrenching drop of terror, which is sort of like being unprotected from thirteen (13) major vulnerabilities in  the infamous Microsoft Office. Several of these vulnerabilities are caused by memory corruption flaws, which can result in remote code execution conditions. Additionally, this was one of the previously mentioned vulnerabilities that also affect the Share-point Server bulletin (MS13-067). In order to end this terror, patch now!

8674_348e9e8c-c495-49b0-a901-171795d6931a
Tower of Terror - Gold Coast, Australia



MS13-073 (KB2858300)

IMPORTANT

Remote Execution in Microsoft Excel

Haven't we've been on this thrill ride already (bulletin MS13-072) ? This bulletin covers several buffer-overflow vulnerabilities in Microsoft Excel. It appears that memory corruption vulnerabilities has become a major theme in this MAPP Tuesday release. Additionally, the XML External Entities Resolution Vulnerability (CVE-2013-3159) appears to be very similar to CVE-2013-3160 in bulletin MS13-072 except that this vulnerability is in Microsoft Excel.

9045_48044bcf-a22e-4cfc-a1a1-efa28e0cd714
Supreme Scream - Buena Park, California



MS13-074 (KB2848637)

IMPORTANT

Remote Execution in Microsoft Access

Similar to MS13-072, and MS13-073, this is another bulletin covering memory corruption vulnerabilities that result remotely code execution. The most frightful part of this bulletin is that versions including Access 2013 and Access 2010 are affected. Fortunately, it is unlikely that these memory corruption vulnerabilities will be exploited in the near future since it appears to have a relatively complex attack vector. Take a breath of relief and lets move on to the next one.

 

9763_6b12ba23-32df-4cbd-af41-97275b0a81d2
AtmosFear - Gothenburg, Sweden

 

MS13-075 (KB2878687)

IMPORTANT

Elevation of Privileges in in Microsoft Office IME (Chinese)

This roller coaster is one of a kind. The bulletin is very unique with it only affecting Chinese version of Microsoft Office due to a vulnerable version of the Input Method Editors (IME) is installed by default. This vulnerability requires the attacker to be logged on to the machine and have valid credentials. However, if the attacker is successful, it could elevate privileges to full-user rights. Those who are not running a Chinese version of Office will have no issues challenging this beast.

10230_7eacc1ba-2336-492c-8f75-79e7829155f6
Mountain Flyer - China



MS13-076 (KB2876315)

IMPORTANT

Elevation of Privileges in Kernel-Mode Drivers

This bulletin might be a bit of a bumpy ride. The vulnerability affects a wide range of Windows versions including Windows XP to Windows 8. Depending on your Windows version, it could result in the elevation of privileges or denial of service conditions.

9620_63bcdcbe-3335-4732-861c-03981a409776
The Boss - Eureka, Missouri




MS13-077 (KB2872339)

IMPORTANT

Elevation of Privileges in Windows Service Control Manager

With a sigh of relief, this is the last memory corruption vulnerability covered in this month patch Tuesday. This memory corruption vulnerability was discovered in the Service Control Manager (SCM) which stores information about all installed Windows services and it starts these services at boot time.  Similar to the several beasts of it kind, the attacker would need to trick an authenticated user to open a malicious file in order to successful exploit this vulnerability. This still seems intimating to me!

9855_6f0c37e4-927b-4a89-b5e8-42fee6635a11
Intimidator 305 - Doswell, Virginia




MS13-078 (KB2878685)

IMPORTANT

Information Disclosure in FrontPage

This is one of the short bumpy rides with only one CVE. This bulletin covers a information disclosure vulnerability in Frontpage 2003 that appears to be caused by a flaw in the LibXML2. The LibXML brings back flashbacks to a vulnerability that we wrote about back in April as well as a information disclosure vulnerability in Visio (MS13-044). In any case, an attacker would need to entice the target to click on a malicious XML file in order to reveal potential system file content.

BSL_8061_15b0a066-fb16-4a34-99ac-d29430ac5498
Shivering Timbers - Muskegon County, Michigan



MS13-079 (KB2853587)

IMPORTANT

Denial of Service in Active Directory

There is only one CVE in this bulletin but it has the potential to cause chaos in active directory environments by causing LDAP messages not being able to be processed. Once the denial of service condition occurs, the administrator would need to restart this service in order for the LDAP directory service to be responsive.

11601_c13dac6a-e957-4857-8d31-1cbe91af03be
King Chaos - Gurnee, Illinois




Hopefully, you enjoyed the ride. Before you leave, make sure you ensure that the automatic security update feature is enabled so that these security flaws are patched ASAP.  Have a patch Tuesday Day!!!

 

Latest SpiderLabs Blogs

Welcome to Adventures in Cybersecurity: The Defender Series

I’m happy to say I’m done chasing Microsoft certifications (AZ104/AZ500/SC100), and as a result, I’ve had the time to put some effort into a blog series that hopefully will entertain and inform you...

Read More

Trustwave SpiderLabs: Insights and Solutions to Defend Educational Institutions Against Cyber Threats

Security teams responsible for defending educational institutions at higher education and primary school levels often find themselves facing harsh lessons from threat actors who exploit the numerous...

Read More

Breakdown of Tycoon Phishing-as-a-Service System

Just weeks after Trustwave SpiderLabs reported on the Greatness phishing-as-a-service (PaaS) framework, SpiderLabs’ Email Security team is tracking another PaaS called Tycoon Group.

Read More