VERT Alert - January 8, 2013

January 8, 2013 4:00 PM (PT)

Today’s VERT Alert addresses seven new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-492 on Wednesday, January 9th.

MS13-001 Windows Print Spooler Components Vulnerability CVE-2013-0011
MSXML Integer Truncation Vulnerability CVE-2013-0006
MSXML XLST Vulnerability CVE-2013-0007
System Center Operations Manager Web Console XSS Vulnerability CVE-2013-0009
System Center Operations Manager Web Console XSS Vulnerability CVE-2013-0010
System Drawing Information Disclosure Vulnerability CVE-2013-0001
WinForms Buffer Overflow Vulnerability CVE-2013-0002
S.DS.P Buffer Overflow Vulnerability CVE-2013-0003
Double Construction Vulnerability CVE-2013-0004
Win32k Improper Message Handling Vulnerability CVE-2013-0008
Microsoft SSL Version 3 and TLS Protocol Security Feature Bypass Vulnerability CVE-2013-0013
Replace Denial of Service Vulnerability CVE-2013-0005



The first vulnerability patched by Microsoft in 2013 affects the print spooler service. It’s interesting to note that this is not the typical print spooler vulnerability that we’re used to seeing; rather it requires that an attacker send malicious information to the printer server. Clients could trigger the vulnerability by querying the server for specific information. Internal components of Windows cannot trigger this vulnerability, so the client would need to run third party printer software on their system. Microsoft has published a blog post[1] with more information on the subject.


Next, we have the patch that should be applied first this month. Two vulnerabilities are resolved by the patch in this bulletin, both of which can be exploited by browsing to a malicious website. It’s important to note the list of affected software for this bulletin: Windows, Office, SharePoint, Groove Server, and others are listed.


The third bulletin this month is only available via the Microsoft Download Center and resolves two XSS issues affecting Microsoft System Center Operations Manager. While both SCOM 2007 SP1 and SCOM 2007 R2 are affected, only one patch (for SCOM 2007 R2) is currently available. At this point, there is no indication of when the SCOM 2007 SP1 patch will be made available.


This is the first of two bulletins this month patching the .NET Framework. In this case the issues resolved revolve around XBAPs. Since settings were adjusted last year to block XBAPs by default in the Internet zone, the risk of exploit is reduced for most users.


It’s becoming common to see a bulletin titled “Windows Kernel-Mode Driver”, and this month ensures that tradition continues, patching a vulnerability in the message handling found in Win32k.sys. Only Windows 6.0 (Vista and newer) systems are affected by this issue.


The second last bulletin this month resolves a security feature bypass affecting Microsoft’s SSL/TLS implementation. A flaw in the implementation could allow an attacker who is able to man-in-the-middle the session to downgrade from SSLv3/TLS to SSLv2. The attacker could then exploit weaknesses in SSLv2 to determine information regarding the session. It should be noted that the downgrade cannot be performed if the system has already been configured to disable SSLv2.


The final bulletin this month is the second set of .NET patches that users will need to apply. A denial of service vulnerability that could lead to an exhaustion of system resources exists in the Open Data (OData) protocol.

Additional Information

In addition to the standard Microsoft updates, Adobe has released an update to Flash[2], which has, in turn, lead to the release of an update to IE10[3], in addition to the update listed above. Adobe has also released updates to Reader[4] and ColdFusion[5].

As always, VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.


Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged

All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the nCircle website as new information surfaces:


All data and commentary is based on information available when the VERT Alert is published.