Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-527 on Wednesday, September 11th.

MS13-067

SharePoint Denial of Service Vulnerability CVE-2013-0081
Microsoft Office Memory Corruption Vulnerability CVE-2013-1315
MAC Disabled Vulnerability CVE-2013-1330
SharePoint XSS Vulnerability CVE-2013-3179
POST XSS Vulnerability CVE-2013-3180
Multiple Memory Corruption Vulnerabilities in Word MULTIPLE

MS13-068

Message Certificate Vulnerability CVE-2013-3870

MS13-069

Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS13-070

OLE Property Vulnerability CVE-2013-3863

MS13-071

Windows Theme File Remote Code Execution Vulnerability CVE-2013-0810

MS13-072

XML External Entities Resolution Vulnerability CVE-2013-3160
Multiple Memory Corruption Vulnerabilities MULTIPLE

MS13-073

Microsoft Office Memory Corruption Vulnerability CVE-2013-1315
Microsoft Office Memory Corruption Vulnerability CVE-2013-3158
XML External Entities Resolution Vulnerability CVE-2013-3159

MS13-074

Multiple Access Memory Corruption Vulnerabilities MULTIPLE

MS13-075

Chinese IME Vulnerability CVE-2013-3859

MS13-076

Multiple Win32k Multiple Fetch Vulnerabilities MULTIPLE
Win32k Elevation of Privilege Vulnerability CVE-2013-3866

MS13-077

Service Control Manager Double Free Vulnerability CVE-2013-3862

MS13-078

XML Disclosure Vulnerability CVE-2013-3137

MS13-079

Remote Anonymous DoS Vulnerability CVE-2013-3868

 

MS13-067

The first bulletin this month resolves 10 CVEs associated with SharePoint components. There’s a denial of service, a couple of XSS issues, and a number of memory corruption vulnerabilities but the one worth talking about is the MAC Disabled Vulnerability.

If an authenticated user were to manipulate the viewstate parameter, they could execute code under the W3WP service account. This becomes a number bigger risk when you consider that a number of people run their SharePoint servers without authentication.

The process for disabling authentication is well documented and greatly increases risk for enterprises that choose to implement it.

MS13-068

The single vulnerability in MS13-068 affects Microsoft Outlook 2007 and 2010. This S/MIME parsing vulnerability can be exploited via the preview pane; however, reliable exploit development seems unlikely based on Microsoft’s blog post [1].

Even if attackers sprint toward exploit development on this one, enterprises following a typical patch management process should have this patched before exploits are available.

MS13-069

The third bulletin this month contains the regularly scheduled Internet Explorer update. There’s not much to add since IE has become a regular on Patch Tuesday, so we’ll stick to the basics. Install this update as soon as your process allows.

MS13-070

This bulletin contains a single OLE vulnerability. OLE objects can be embedded in various Office documents and Microsoft has predicted [2] that the most likely attack vector will be Microsoft Visio. There is also an attack vector via Windows Explorer preview but it’s much more difficult to exploit.

MS13-071

Up next this month we have a bulletin that resolves a vulnerability in Microsoft theme files, the files that are responsible for how your computer looks and sounds. Opening a malicious theme file could lead to code execution.

MS13-072

This month’s Word bulletin is interesting in that many of the vulnerabilities are not unique to this bulletin. Of the 13 CVEs, 6 of them overlap with other bulletins this month.

Five of them with the SharePoint bulletin (specifically Office WebApps Word) and the final one is also fixed in MS13-073 (Excel) and MS13-078 (FrontPage).MS13-073

As mentioned above, MS13-073 is an Excel bulletin and is pretty standard as far Excel bulletins go. There are two caveats to consider on this bulletin though.

The first is that in order to fully patch Excel 2007 both the Excel 2007 and the Office Compatibility Pack updates must be installed. The second is that Excel Viewer must be updated to a supported version before the update will be offered. S13-074

Microsoft Office related bulletins were a noticeable trend this month and that trend continues with MS13-074. This bulletin resolves three CVEs affecting ACCDB files, an Access database file introduced in Access 2007.

MS13-075

YATOV (Yet Another Office Vulnerability) is patched in MS13-075. This one is specific to the Chinese IME that is installed with the Chinese version of Microsoft Office and available as an optional install for the English version of Microsoft office. The vulnerability could allow a user to run a binary with elevated privileges.

MS13-076

Since we’ve gathered most of the usual suspects this month, we might as well add one more. MS13-076 resolves 7 vulnerabilities affecting Win32k.sys. This bulletin runs the gamut of Windows versions from XP through to 2012, providing potential privilege escalations on each platform.

MS13-077

The vulnerability resolved by MS13-077 is slightly interesting. To exploit the vulnerability, you would require write access to the portion of the registry read by the Service Control Manager. Since most users shouldn’t have write access to the registry this should be mitigated for most end-user systems.

MS13-078

Nothing overly interesting to add for MS13-078 as it contains a single vulnerability, CVE-2013-3137. This is the information disclosure vulnerability patched for both Word and Excel.

The vulnerability allows an attacker to potentially read the contents of files on the local file system. This vulnerability is not unlike CVE-2013-1301, patched in MS13-044 for Microsoft Visio.

MS13-079

The final bulletin of the month contains a denial of service against Active Directory Services. A specially crafted LDAP request can cause the LDAP service to stop responding until the service or system is restarted.

Additional Information

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Easy
Moderate
Difficult
Extremely Difficult
No Known Exploit
MS13-078 MS13-068
MS13-069
MS13-070
MS13-071
MS13-072
MS13-073
MS13-074
MS13-079 MS13-075
MS13-076
MS13-077
MS13-067
Exposure
Local
Availability
Local
Access
Remote
Availability
Remot
Access
Local
Privileged
Remote
Privileged

Categories: ,

Tags: , , , , , , , , , ,


Tyler Reguly

Tyler Reguly has contributed 26 posts to The State of Security.

View all posts by Tyler Reguly >