VERT Alert - March 12, 2013

March 12, 2013 8:24 PM (PT)

The Tripwire VERT Alert is brought to you by nCircle VERT, nCircle's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 7 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-501 on Wednesday, March 13th.

Multiple Use After Free Vulnerabilities in Internet Explorer MULTIPLE
Silverlight Double Dereference Vulnerability CVE-2013-0074
Visio Viewer Tree Object Type Confusion Vulnerability CVE-2013-0079
Callback Function Vulnerability CVE-2013-0080
SharePoint XSS Vulnerability CVE-2013-0083
SharePoint Directory Traversal Vulnerability CVE-2013-0084
Buffer Overflow Vulnerability CVE-2013-0085
Buffer Size Validation Vulnerability CVE-2013-0086
Unintended Content Loading Vulnerability CVE-2013-0095
Windows USB Descriptor Vulnerability CVE-2013-1285
Windows USB Descriptor Vulnerability CVE-2013-1286
Windows USB Descriptor Vulnerability CVE-2013-1287


The first bulletin this month is responsible for nearly half the vulnerabilities patched this month. 9 of this month's 20 CVEs are related to Internet Explorer. The most interesting CVE in the lot is likely CVE-2013-1288, which has publicly available exploit code. It's also interesting that IE10 isn't vulnerable to any of these vulnerabilities when running on Windows 7 but it is when running on Windows 8.


Up next this month we have a single vulnerability in Microsoft Silverlight. According to, Silverlight is used on 0.2% of all websites, which means that, for many people, Silverlight may not be a necessity. A few large, popular sites do use Silverlight though, in which case you'll want to prioritize this update ahead of most others.


A vulnerability in Visio Viewer is next on the list this month and drive-by attacks are a possibility using embedded Visio documents. This bulletin also contains patches for Visio 2010 and the Office 2010 Filter Pack. While the attack vector for this specific vulnerability is not available, these patches are still recommended for installation.


SharePoint is becoming a popular target for Microsoft bulletins, which means it’s become a popular target for attackers and researchers. This month, 4 issues are fixed that affect SharePoint 2010, specifically the Web Analytics service. The most serious of the issues is a persistent XSS that could allow the attacker to inject script that an administrator may inadvertently execute.


This month's most yawn-inducing update is definitely MS13-025. A single information disclosure vulnerability affect Microsoft OneNote is fixed in this bulletin. Successfully convincing a OneNote user to open a malicious OneNote file could lead to memory disclosure.


This bulletin affects Office for Mac 2008 and 2011, specifically the outlook component. An issue exists where HTML content can be loaded without the users interaction, disclosing to the attacker that the email has been viewed and read.


The final bulletin this month wins the prize for most interesting. MS13-027 describes three vulnerabilities affecting the USB Driver on Windows operating systems. A malicious USB thumb drive could be used to gain full control of a system. Unlike past auto-run vulnerabilities, a user doesn’t need to be logged in to exploit this vulnerability. In something reminiscent to "television hacking" and Hollywood movies, a locked computer could be completely owned simply by plugging in a USB device. This is the bulletin to watch for over the next few weeks, as we're likely to see interesting developments.

Additional Information

In addition to the standard Microsoft updates, Adobe has released an update to Flash, which has, in turn, lead to the release of an update to IE10, in addition to the update listed above.

As always VERT recommends that you apply all the patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table:

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged

All data and commentary is based on information available when the VERT Alert is published.