VERT Alert - December 10, 2013

Today’s VERT Alert addresses 11 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-540 on Wednesday, December 11th.

MS13-096

Microsoft Graphics Component Memory Corruption Vulnerability

CVE-2013-3906

MS13-097

Multiple Elevation of Privilege Vulnerabilities in Internet Explorer

MULTIPLE

Multiple Memory Corruption Vulnerabilities in Internet Explorer

MULTIPLE

MS13-098

WinVerifyTrust Signature Validation Vulnerability

CVE-2013-3900

MS13-099

Use-After-Free Vulnerability in Microsoft Scripting Runtime Object Library

CVE-2013-5056

MS13-100

SharePoint Page Content Vulnerabilities

CVE-2013-5059

MS13-101

Win32k Memory Corruption Vulnerability

CVE-2013-3899

Win32k Use After Free Vulnerability

CVE-2013-3902

TrueType Font Parsing Vulnerability

CVE-2013-3903

Port-Class Driver Double Fetch Vulnerability

CVE-2013-3907

Win32k Integer Overflow Vulnerability

CVE-2013-5058

MS13-102

LRPC Client Buffer Overrun Vulnerability

CVE-2013-3878

MS13-103

SignalR XSS Vulnerability

CVE-2013-5042

MS13-104

Token Hijacking Vulnerability

CVE-2013-5054

MS13-105

Oracle Outside In Contains Multiple Exploitable Vulnerabilities

MULTIPLE

MAC Disabled Vulnerability

CVE-2013-1330

OWA XSS Vulnerability

CVE-2013-5072

MS13-106

HXDS ASLR Vulnerability

CVE-2013-5057

 

MS13-096

The first vulnerability patched this month is likely the most critical vulnerability to patch this month. Normally, this wouldn’t make the top of the list, however given that the vulnerability is public and has be used in the wild, this patch should be given the most attention. Microsoft has previously discussed this vulnerability in a Security Research & Defense blog post[1].

MS13-097

Up next, we have the monthly Internet Explorer update. This is a regular update at this point and 100% expected, even the vulnerabilities contained within the update are standard fare. Given that this is IE, applying the update is critical but deployment should be second nature for system administrators now.

MS13-098

The third bulletin this month is one of the more interesting ones. It describes an issue with Authenticode that is handled in two ways. First, the patch fixes known issues, however, in 6 months (June 10th, 2014), the second half will go into effect. The issue was Authenticode signed installers that downloaded an external binary and the URL of the binary wasn’t included in the signed portion of the code, meaning a malicious individual could change the URL and redistribute the signed file. When the second half of this fix goes live, this practice will no longer be supported and installers that function this way will be broken. If users want to use the improved method immediately, a registry change can enable the functionality. Microsoft has released an advisory with more details on enabling the change[2] as well as a blog post detailing the issue[3].

MS13-099

This bulletin describes a single vulnerability that affects Windows Scripting. Given the nature of Windows Scripting and support for VBScript, this vulnerability could be leveraged to provide a drive-by attack against users. This potential attack vector increases the risk and raises the criticality of this issue.

MS13-100

SharePoint have been patched frequently this year and Microsoft decided to give us one more patch before we finished the year. This patch fixes a vulnerability that could allow an authenticated user to run code in the context of the W3WP service.

MS13-101

Just like SharePoint, True-Type Font and Win32k.sys vulnerabilities have been popular this year. We’re wrapping up the year with 5 additional kernel-mode driver privilege escalations fixed by Microsoft in this bulletin.

MS13-102

This next bulletin is a reminder of why older operating systems need to go away (only 4 months until XP is out of support). Only Windows XP and Server 2003 are vulnerable to this and the attacker requires access to the system to exploit this privilege escalation vulnerability.

MS13-103

This bulletin contains a vulnerability titled “SignalR XSS Vulnerability” and it may end up competing for most annoying Microsoft patch to apply this year. There are two affected products here: ASP.NET SignalR and Visual Studio Team Foundation Server 2013. While TFS has a rather straightforward patch, the ASP.NET portion of the bulletin is worth paying attention to. The proper fix for this issue is to download the SignalR Library update and rebuild your hosted ASP.NET applications. This is fine if you’re hosting your own applications but if your hosting for others then you’d better visit the download center and download the ASP.NET update that will work as an interim solution until your hosted applications are fixed.

MS13-104

MS13-104 falls into the category of “Microsoft fails at vulnerability classification”. The vulnerability looks harmless enough when it’s labeled as an “Information Disclosure” but when you dig in you realize that successful exploitation of the vulnerability could give the attacker full access to all your data stored on SharePoint. Keep that in mind when prioritizing this vulnerability, the risk to your environment may vary greatly.

MS13-105

Microsoft has patched Exchange a couple of times and we always see the same issues fixed, Oracle Outside In issues that were patched by Oracle a few months previous. This month is the same, fixing two CVEs that Oracle had previously patched. In addition, this bulletin fixes a two other issues, one of which is Cross-Site Scripting related.

MS13-106

The (hopefully) final bulletin of the year is a long expected fix to an ASLR bypass in hxds.dll (a component of office). While this vulnerability doesn’t lead to direct code execution, it has been used in many recent exploits as an ASLR bypass to lead to successful exploitation. Even though it’s a fairly unimportant vulnerability on it’s own, this should rank fairly high on the patches to apply list as it will mitigate existing exploit code for other vulnerabilities.

 

Additional Information

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

 

Ease of Use (published exploits) to Risk Table

Automated Exploit
    MS13-096        
Easy
             
Moderate
    MS13-098        
Difficult
             
Extremely Difficult
            MS13-105
No Known Exploit
MS13-104
MS13-106
  MS13-097
MS13-099
  MS13-103 MS13-100
MS13-101
MS13-102
 
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remote
Access
Local
Privileged
Remote
Privileged