VERT Alert - February 12, 2013

February 12, 2013 4:30 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today's VERT Alert addresses 12 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-497 on Wednesday, February 13th.

Shift JIS Character Encoding Vulnerability CVE-2013-0015
Multiple Use After Free Vulnerabilities in Internet Explorer MULTIPLE
VML Memory Corruption Vulnerability CVE-2013-0030
Media Decompression Vulnerability CVE-2013-0077
Oracle Outside In Contains Multiple Exploitable Vulnerabilities MULTIPLE
Oracle Outside In Contains Multiple Exploitable Vulnerabilities MULTIPLE
NULL Dereference Vulnerability CVE-2013-1281
WinForms Callback Elevation Vulnerability CVE-2013-0073
Win32k Race Condition Vulnerabilities MULTIPLE
Kernel Race Condition Vulnerability CVE-2013-1278
Kernel Race Condition Vulnerability CVE-2013-1279
Windows Kernel Reference Count Vulnerability CVE-2013-1280
TCP FIN WAIT Vulnerability CVE-2013-0075
Reference Count Vulnerability CVE-2013-0076
OLE Automation Remote Code Execution Vulnerability CVE-2013-1313


Our February Patch Tuesday starts off with 13 Internet Explorer CVEs. We’ve come to expect IE updates on a monthly basis (and, as we saw in January, sometimes twice a month). Where this update gets confusing is that some of the patches contain the fix for MS13-010 as well as MS13-009. Our suggestion: install both patches every time.


While last month saw two IE bulletins on two different days, this month we’re getting the second IE bulletin on the same day. This bulletin addresses a VML vulnerability, which is why we’re not seeing it rolled into the IE patch.


The third bulletin this month addresses an issue in Quarts.dll aka DirectShow aka DirectX. The last time we saw an issue here was back in 2010. Newer platforms (Windows 7 and newer) are not affected by this issue, so the subset of Windows users running XP through Server 2008 will need to look into applying this patch. This vulnerability had been publicly disclosed prior to the release of this bulletin.


A common theme lately has been vulnerabilities associated with Oracle and MS13-012 represents the first of two Oracle-related bulletins this month. This one refers to the WebReady Document Viewing feature found in Exchange and used with Outlook Web Access. These CVEs were referenced in the Oracle January Critical Patch Update.


MS13-013 is the second Oracle-related bulletin this month and also fixes Oracle Outside In related vulnerabilities. It’s interesting to note that these are not the same issues fixed in MS13-012, these issues were resolved in Exchange back in MS12-080.


This bulletin references a technology that you don’t often hear mentioned these days, NFS. The specific issue involves causing a system restart by attempting to rename a file on a read-only NFS share. While NFS is a rarity in most situations, it can be common in VMware ESXi deployments where file shares are mounted remotely via NFS.


Where would a Patch Tuesday be without a .NET bulletin? This month we see a single vulnerability patched. This bulletin would be best summed up with the hashtag, #YAPTA, Yet Another Patch to Apply.


#YAPTA! Win32K.sys is one of the usual suspects on Patch Tuesday and this month is no different, however instead of the usual CVE or two, we find ourselves looking at a rather imposing list of 30 CVEs, all credited to the same person.


This bulletin feels like an extension of MS13-016, possible due to the naming of the individual vulnerabilities and possibly due to the acknowledgements. In the end, we’re looking at three additional CVEs affecting the Windows kernel.


Whenever you see TCP/IP in the title of a bulletin everyone’s hearts start to be beat a little faster. Luckily, in this case, the issue is a denial of service that appears to be difficult to achieve. Rather than explain how the vulnerability works, I’ll refer everyone to a Microsoft SR&D blog post that explains the issue quite well.


The second last bulletin of the month affects only the Windows 6.1 (Windows 7 and Server 2008 R2) family. It’s a privilege escalation issue affecting the WIndows Client/Server Run-time Subsystem (CSRSS).


The month ends on a Windows XP only vulnerability that affects OLE Automation. This vulnerability can be exploited using specially crafted RTF files.

Additional Information

In addition to the standard Microsoft updates, Adobe has released an update to Flash, which has, in turn, lead to the release of an update to IE10, in addition to the update listed above.




As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged


All data and commentary is based on information available when the VERT Alert is published.