VERT Alert - July 10, 2013

July 10, 2013 5:00 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 10 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-510 on Wednesday, May 15th.

MS13-052 TrueType Font Parsing Vulnerability CVE-2013-3129
  Array Access Violation Vulnerability CVE-2013-3131
  Delegate Reflection Bypass Vulnerability CVE-2013-3132
  Anonymous Method Injection Vulnerability CVE-2013-3133
  Array Allocation Vulnerability CVE-2013-3134
  Delegate Serialization Vulnerability CVE-2013-3171
  Null Pointer Vulnerability CVE-2013-3178
MS13-053 Win32k Memory Allocation Vulnerability CVE-2013-1300
  Win32k Dereference Vulnerability CVE-2013-1340
  Win32k Dereference Vulnerability CVE-2013-1340
  Win32k Vulnerability CVE-2013-1345
  TrueType Font Parsing Vulnerability CVE-2013-3129
  Win32k Information Disclosure Vulnerability CVE-2013-3167
  Win32k Buffer Overflow Vulnerability CVE-2013-3172
  Win32k Buffer Overflow Vulnerability CVE-2013-3173
  Win32k Read AV Vulnerability CVE-2013-3660
MS13-054 TrueType Font Parsing Vulnerability CVE-2013-3129
MS13-055 Shift JIS Character Encoding Vulnerability CVE-2013-3166
  Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE
MS13-056 DirectShow Arbitrary Memory Overwrite Vulnerability CVE-2013-3174
MS13-057 WMV Video Decoder Remote Code Execution Vulnerability CVE-2013-3127
MS13-058 Microsoft Windows 7 Defender Improper Pathname Vulnerability CVE-2013-3154

MS13-052

The first bulletin this month contains 7 CVEs affecting .NET and Silverlight. Due to the inclusion of Silverlight this has a drive-by attack vector for both Windows and Mac users. This is also the first of 3 bulletins this month to include a fix for CVE-2013-3129.  If you were to split out the top three patches to install, this one would be included in that group. It is also important to note that there are different patches for .NET and Silverlight; so multiple patches may need to be installed

MS13-053

This month’s second bulletin contains a couple of points worth mentioning. First, it includes the publicly discussed CVE-2013-3660, which has already been included in known exploit frameworks. This bulletin is also the second this month to include CVE-2013-3129. Given the multiple attack vectors for this CVE, it’s likely that it will be a popular choice for exploit authors. This patch would be the second to be included in our Top 3 list of patches to install this month. 

MS13-054

The third bulletin this month is the final bulletin to include a fix for CVE-2013-3129; unfortunately it’s also one of the messier bulletins as Windows, Office, Visual Studio .NET, and Microsoft Lync all appear in the affected software list. Be sure to apply all required patches to your systems. 

MS13-055

Bulletin number four this month is the bulletin that normally starts us off, Internet Explorer. This much, much like last month, is a rather large list of vulnerabilities. In total, 17 CVEs are patched in today’s IE update. Given the popularity of IE and IE-related exploits, it is advisable to install this patch as soon as possible… it would definitely be the final patch in our Top 3 list.

MS13-056

MS13-056 is an interesting bulletin because there are no known Microsoft products that provide an attack surface to access the vulnerabilities. Instead, the vulnerability is exposed via third-party products that use the Microsoft DirectShow libraries to process GIFs. Thankfully, these third-party products don’t need to be updated individually… applying the patch found in this bulletin will resolve the issue. 

MS13-057

The second last bulletin this month resolves a single vulnerability affect Windows Media Player’s WMV decoder. The important piece of information to note here are the numerous (6) footnotes on the affected software list indicating when specific updates are offered. This is important information to consider when ensuring that all systems are properly patched. 

MS13-058

The final bulletin this month is reminiscent of Security Advisory 2846338 released in May. The style of attack is similar but instead of affecting Microsoft Malware Protection Engine (as the advisory in May did), this month’s bulletin discussed Windows Defender. This attack has a very low barrier to entry but requires write permission to the root of the system drive. Ideally, in most situations, end-users will not have permission to do that in enterprise environments, which will limit the successful exploitation of this vulnerability. 

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
          MS13-053  
Easy
             
Moderate
   
 
    MS13-058  
Difficult
             
Extremely Difficult
          MS13-052  
No Known Exploit
    MS13-054
MS13-056
MS13-057
  MS13-055    
 
Exposure
Local
Availability
Local
Access
Remote
Availability
Remot
Access
Local
Privileged
Remote
Privileged

All data and commentary is based on information available when the VERT Alert is published.