August Patch Tuesday brings some interesting security updates from Microsoft. Everyone including myself was worried about the critical Exchange updates (MS13-061) and they are marked critical but they are not as bad as we feared.
“This security update resolves eleven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user,” the security bulletin stated.
The Exchange patch incorporates some patches that Oracle released in April and July that effect Outlook Web Access (OWA). While possible exploitation of these is fairly low it is still a critical update that should be installed for organizations using OWA.
There are two ALSR bypasses this month in MS13-059 in IE and MS13-063 in the windows kernel.
“The most severe vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities,” MS13-063 stated.
Both of these came form the CanSecWest pwn2own competition this year and both updates should be applied as soon as possible. There are some good blog posts about these from Microsoft:
and Yang Yu:
Happy anniversary to Blaster, Microsoft has another RPC vulnerability that is not anywhere near as bad but the timing is great. This RPC issue is a race condition and the attacker must be on the local box but we could see exploits for this one if attackers can get through the pre-conditions that make this difficult to trigger.
Some denial of service issues round out this months release and the interesting part of these is that two of them are exploited with IPv6. They are just marked as important but they are interesting. MS13-066 effects Active Directory Federated Services (AD FS) and if exploited could cause a denial of service for valid users by locking out accounts.
“The vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured,” the bulletin stated.
MS13-065 is a IPv6 ICMP vulnerability that could be triggered by one packet but the stars have to align just right for this.
“The vulnerability could allow a denial of service if the attacker sends a specially crafted ICMP packet to the target system,” Microsoft said of the vulnerability.
The final one is a DOS of the windows NAT driver on windows 2012 servers running Direct Access Server (MS13-064).
“The vulnerability could allow denial of service if an attacker sends a specially crafted ICMP packet to a target server that is running the Windows NAT Driver service,” the bulletin said.
Direct Access is a feature in Windows Server 2012 that enables you to seamlessly connect to your organization’s network from any Internet-equipped remote location without having to establish a virtual private network (VPN) connection.
Although this is off by default and may be rare in corporate environments it is common on Windows Server Essentials 2012 where home users or small businesses are using the server as the core of their environment.
- Brian Martin on Why Vulnerability Statistics Suck
- Vulnerabilities: It’s Time to Review Your ReviewBoard
- What is Vulnerability Management Anyway?
- Your Enterprise Vulnerability Management Reality Check
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock