Microsoft Patch Overview for February 2013

Spread the love

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Notes and Observations

  • Twelve bulletins were released covering 57 vulnerabilities.
  • This isn’t quite as bad as it sounds (but you should still patch them all).  One of the vulnerabilities, MS13-009, addresses more than a dozen vulnerabilities in Internet Explorer and should be patched pretty much immediately.  Another, MS13-016, addresses 30 in the kernel-mode driver, but these are tricky race conditions that allow privilege escalation and don’t worry me all that much.
  • However, MS13-010 is being used to some extent in the wild.  There is a component of the vulnerability that can be used for information disclosure.  This may be why Microsoft issued two patches for IE instead of one.  If you can’t install -009, at least install -010.
  • The apparent focus du jour for vulnerability researchers is the Use After Free vulnerability.  I’ll admit that I’m not up to date on this particular one, but I’ll see what I can come up with in the near future.
  • There’s a patch for an Exchange Server vulnerability that involves viewing Paradox database files in Outlook Web Access.  I haven’t seen mention of Paradox in years.  But I mention this not just for the historical oddity.  There really is the ability to view such files, and Microsoft admits that it’s not documented.  Be aware of this not just with Microsoft, but with other companies that can read many file formats.  They have to have parsers, and they’re often not as good as the original vendor’s (and some of them aren’t that good, either).
  • Nevertheless, I grouped it as one of two items to patch sometime in the next 90 days.  I’m really not that concerned that someone is going to try to craft a Paradox DB file for this when there are better ways to attack the user.  The other one I’m not worried about is a Network File System (NFS) issue since almost no one uses it in this context.

Chart Guidance

  • Enterprise Severity denotes the timetable in which I believe enterprises should try to patch the affected vulnerabilities and may differ from Microsoft’s severity rating. Differences are usually based on past patterns of attackers who go after certain vulnerabilities (Internet Explorer, SMB, RDP, print spoolers) more often than others. This does not remove the need for effective patch review and there may be mitigating factors which may allow a somewhat more relaxed timetable. Nevertheless, those rated with a severity of 1: Critical should be considered priority in almost any environment.
    • Enterprise Severity Levels:
      1. Critical: Currently being exploited, publicly available exploit code, and/or likely to be easily exploitable in the very near future. Patch within 7 days.
      2. High: Not known to be public or public with strong mitigating factors. Patch within 30 days.
      3. Low: Not known to be public and not likely to be a reliable exploit. Patch on next scheduled update cycle or within 90 days.
  • Home Severity is not included because it is almost always the same: patch it as soon as it’s released! It’s extremely rare for a patch to break things, so it’s best to just install every patch as it’s released.
  • Patches are almost always published right around 10:00 Pacific Time on the second Tuesday of each month. Occasional out-of-band patches are also published, but these are uncommon and address vulnerabilities known to be widely exploited.

February 2013 Microsoft Security Bulletin Overview

ID Affected Products Title and Summary Severity/Impact Enterprise Severity
MS13-009 Internet Explorer Cumulative Security Update for Internet Explorer Critical
Remote Code Execution

EI: 1

1: Critical

Patch within 7 days

Notes:Addresses 13 issues, none known to be publicCode executes with current user privileges

Two kinds of vulnerabilities:

Flaw in Japanese language encoding may allow an attacker to access data from another domain or Internet Explorer zone.  For example, an attacker in a High security zone might be able to access a site listed in Trusted Sites.

Remaining flaws are Use After Free vulnerabilities where Internet Explorer may try to access an object in memory that has been deleted, resulting in corrupted memory that could allow an attacker to execute arbitrary code.

MS13-010 Internet Explorer Vulnerability in Vector Markup Language Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1

1: Critical

Patch within 7 days

Notes:Addresses 1 issue that has both RCE and Information Disclosure aspects, the latter of which has reportedly been seen in use in the wildCode executes with current user privileges

Flaw in handling allocating memory buffers for Vector Markup Language (VML) content.

MS13-011

Windows XP
Windows Vista

Windows Server 2003
Windows Server 2008
(Core not affected)

Vulnerability in Media Decompression Could Allow Remote Code Execution Critical
Remote Code Execution
EI: 1
1: Critical

Patch within 7 days

Notes:Addresses 1 issue, known to be publicly disclosedCode executes with current user privileges

Flaw in handling specially-crafted media files or streaming media content

MS13-012 Exchange 2007
Exchange 2010
Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 2

3: Low

Patch within 90 days or on next cycle

Notes:Addresses 2 issues, both known to be public. One allows Remote Code Execution and one can trigger a Denial of Service condition.RCE executes with LocalService privileges and can take any action allowed under that context.  This access is significantly more limited than System and cannot undertake any significant network activity..

Flaws in parsing specially-crafted Paradox database files by Oracle Outside In libraries are at fault.  Either can be triggered by viewing a specially-formatted Paradox DB file in Outlook Web Access. While Paradox is not officially listed as a supported file type for rendering in OWA, it is still can still be viewed in OWA.

MS13-013 FAST Search Server 2010 for SharePoint Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution Important
Remote Code Execution

EI: 1

3: Low

Patch within 90 days or on next cycle

Notes:Addresses 2 issues, both known to be publicCode executes in the context of a user account with a restricted token

Flaws in Oracle Outside In libraries to parse specially-crafted files.  This is at its root an Oracle issue, but Microsoft licenses these libraries for use in its products.

MS13-014 Windows Server 2008 R2
Windows Server 2012
(Core affected)
Vulnerability in NFS Server Could Allow Denial of Service Important
Denial of Service

EI: 3

3: Low

Patch within 90 days or on next cycle

Notes:Addresses 1 issue, not known to be publicCauses the NFS service to restart

Flaw in handling a particular file operation

MS13-015 Windows XP
Windows Vista
Windows 7

Windows 8
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012

(Core affected)

Vulnerability in .NET Framework Could Allow Elevation of Privilege Important
Privilege Escalation

EI: 1

2: High

Patch within 30 days

Notes:Addresses 1 issue, not known to be publicCode executes with system privileges

Caused by the .NET Framework improperly elevating permissions of a callback function when a particular WinForms object is created.  This may happen when an attacker hosts a malicious website, or when an attacker is attempting to bypass Code Access Security in a Windows .NET Framework application.

MS13-016 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
(Core affected)

Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege Important
Privilege Escalation

EI: 2

2: High

Patch within 30 days

Notes:Addresses 30 issues, none known to be publicCode executes with system privileges

Race conditions in the kernel-mode driver may allow an attacker to read arbitrary amounts of kernel memory.  This may allow reading sensitive information such as password information, settings, or other information data in kernel memory.

MS13-017 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
(Core affected)

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege Important
Privilege Escalation

EI: 1

2: High

Patch within 30 days

Notes:Addresses 3 issues, none known to be publicCode executes in kernel mode, allowing unlimited access

Two race conditions and a flaw in how the kernel handles certain objects in memory may allow any action to be undertaken.

MS13-018 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
(Core affected)

Vulnerability in TCP/IP Could Allow Denial of Service Important
Denial of Service

EI: 1

2: High

Patch within 30 days

Notes:Addresses 1 issue, not known to be publicCauses system to reboot

Caused by improper handling of a specially-formatted FIN packet. Servers would be the most likely targets. This vulnerability may draw interest from potential attackers.

MS13-019

Windows 7

Windows Server 2008 R2
(Core affected)

Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege Important
Privilege Escalation

EI: 2

2: High

Patch within 30 days

Notes:Addresses 1 issue, known to be publicly disclosedCode executes with system privileges

Improper handling of objects in memory; an attacker must be logged on to the system.  This generally would involve credentials, though this exploit may be chained with another exploit to gain access and then leverage this to improve access.

MS13-020 Windows XP Vulnerability in OLE Automation Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1

1: Critical

Patch within 7 days

Notes:Addresses 1 issue, not known to be publicCode executes with system privileges

Flaw in how OLE Automation handles specially-crafted files.  This includes specially-crafted RTF-formatted e-mail messages and may also include specially-crafted web pages.

 Exploitability Index:
1. Consistent exploit code likely
2. Inconsistent exploit code likely
3. Functioning exploit code unlikely

 Highest exploitability of a cumulative patch

Leave a Reply

Your email address will not be published. Required fields are marked *