VERT Alert - May 14, 2013

May 14, 2013 5:00 PM (PT)

The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.

Today’s VERT Alert addresses 10 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-510 on Wednesday, May 15th.
MS13-037 JSON Array Information Disclosure Vulnerability CVE-2013-1297
  Multiple Use After Free Vulnerabilities in Internet Explorer MULTIPLE
MS13-038 Internet Explorer user After Free Vulnerability CVE-2013-1347
MS13-039 HTTP.sys Denial of Service Vulnerability CVE-2013-1305
MS13-040 XML Digital Signature Spoofing Vulnerability CVE-2013-1336
  Authentication Bypass Vulnerability CVE-2013-1337
MS13-041 Lync RCE Vulnerability CVE-2013-1302
MS13-042 Multiple Microsoft Publisher Remote Code Execution Vulnerabilities MULTIPLE
MS13-043 Word Shape Corruption Vulnerability CVE-2013-1335
MS13-044 XML External Entities Resolution Vulnerability CVE-2013-1301
MS13-045 Windows Essentials Improper URI Handling Vulnerability CVE-2013-0096
MS13-046 DirectX Graphics Kernel Subsystem Double Fetch Vulnerability CVE-2013-1332
  Win32k Buffer Overflow Vulnerability CVE-2013-1333
  Win32k Window Handle Vulnerability CVE-2013-1334


This month starts the same way that every other month does, with Internet Explorer as the first bulletin. The most important take away of this patch is that it contains fixes for a Pwn2Own 2013 vulnerability, CVE-2013-2551, as well as a defense in depth fix that originated at Pwn2Own. Internet Explorer is usually the first thing you should patch and this month is no different. We actually have a three-way tie for “first patch to install”, with two Internet Explorer patches and the HTTP.sys patch all sitting at the top of the list. Installation order should depend on the purpose of the system. Patch IE first for workstations and HTTP.sys first for servers.


The second bulletin of the month is also the second IE bulletin of the month. This one could almost be considered an Out of Band and is a direct response to the recent IE 0-day reported on the FireEye Blog. Since there are known exploits in the wild, this patch should be installed ASAP.


MS13-039 is a rare bulletin, it affects only Microsoft’s newest operating systems. The vulnerability exists within HTTP.sys, which means that anything using it for web capabilities (e.g. IIS) is affected by this issue. The issue is caused when a malicious HTTP request is received, triggering an infinite loop in the HTTP stack. If you’re running a web server on Windows Server 2012, this should be at the top of your list.


Up next, we have the .NET Framework. The issues in .NET are relatively minor; the most important issue is that the signature of an XML file can be spoofed due to a lack of validation.


This bulletin resolves an issue affecting Microsoft Lync and its predecessor, Microsoft Communicator. Successful exploitation of the vulnerability requires that the user accept a program-sharing request from a malicious user. Until the patch is applied, users should be advised to avoid sharing requests from users they don’t know and/or trust.


The biggest bulletin of the month, MS13-042, kicks off a chain of three Microsoft Office related bulletins. The 11 CVEs patched by MS13-042 all represent code execution issues when opening malicious Publisher documents. Publisher 2003, 2007, and 2010 are affected.


The second Office vulnerability this month affects Microsoft Word 2003 and Word Viewer. A malicious RTF document can trigger the vulnerable code, which means that the biggest risk comes from RTF-formatted email to recipients that have reconfigured Outlook 2003 to use Word 2003 as the default mail reader.


The final Office vulnerability affects Visio and is a rather interesting Information Disclosure issue. A specially crafted document could send a local file to a remote server when opened with Visio. As with Publisher, the affected versions are 2003, 2007, and 2010.


The second last bulletin of the month fixes an issue with Windows Writer, a component of Windows Essentials. Removing the Windows Writer URI handler easily mitigates the issue, which allows an attacker to overwrite files on the local file system. Users of Windows Essentials should also note that both the 2011 and 2012 versions of Windows Essentials are affected but a patch has not been released for 2011. Users of this version should upgrade to Windows Essentials 2012.


The final bulletin this month is one that we’ve grown accustom to seeing. It contains privilege escalation issues affecting Windows Kernel-Mode Drivers. Win32K and DirectX are specifically affected by the vulnerabilities listed in this bulletin.

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit
Extremely Difficult
No Known Exploit
Local Availability
Remote Availability
Remote Access
Local Privileged
Remote Privileged

All data and commentary is based on information available when the VERT Alert is published.