VERT Alert: November 2013 Microsoft Patch Tuesday Analysis

Today’s VERT Alert addresses 11 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-540 on Wednesday, December 11th.
Microsoft Graphics Component Memory Corruption Vulnerability | CVE-2013-3906 | |
Multiple Elevation of Privilege Vulnerabilities in Internet Explorer | MULTIPLE | |
Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE | |
WinVerifyTrust Signature Validation Vulnerability | CVE-2013-3900 | |
Use-After-Free Vulnerability in Microsoft Scripting Runtime Object Library | CVE-2013-5056 | |
SharePoint Page Content Vulnerabilities | CVE-2013-5059 | |
Win32k Memory Corruption Vulnerability | CVE-2013-3899 | |
Win32k Use After Free Vulnerability | CVE-2013-3902 | |
TrueType Font Parsing Vulnerability | CVE-2013-3903 | |
Port-Class Driver Double Fetch Vulnerability | CVE-2013-3907 | |
Win32k Integer Overflow Vulnerability | CVE-2013-5058 | |
LRPC Client Buffer Overrun Vulnerability | CVE-2013-3878 | |
SignalR XSS Vulnerability | CVE-2013-5042 | |
Token Hijacking Vulnerability | CVE-2013-5054 | |
Oracle Outside In Contains Multiple Exploitable Vulnerabilities | MULTIPLE | |
MAC Disabled Vulnerability | CVE-2013-1330 | |
OWA XSS Vulnerability | CVE-2013-5072 | |
HXDS ASLR Vulnerability | CVE-2013-5057 |
MS13-096
The first vulnerability patched this month is likely the most critical vulnerability to patch this month. Normally, this wouldn’t make the top of the list, however given that the vulnerability is public and has be used in the wild, this patch should be given the most attention. Microsoft has previously discussed this vulnerability in a Security Research & Defense blog post [1].
MS13-097
Up next, we have the monthly Internet Explorer update. This is a regular update at this point and 100% expected, even the vulnerabilities contained within the update are standard fare. Given that this is IE, applying the update is critical but deployment should be second nature for system administrators now.
MS13-098
The third bulletin this month is one of the more interesting ones. It describes an issue with Authenticode that is handled in two ways. First, the patch fixes known issues, however, in 6 months (June 10th, 2014), the second half will go into effect. The issue was Authenticode signed installers that downloaded an external binary and the URL of the binary wasn’t included in the signed portion of the code, meaning a malicious individual could change the URL and redistribute the signed file.
When the second half of this fix goes live, this practice will no longer be supported and installers that function this way will be broken. If users want to use the improved method immediately, a registry change can enable the functionality. Microsoft has released an advisory with more details on enabling the change [2] as well as a blog post detailing the issue [3].
MS13-099
This bulletin describes a single vulnerability that affects Windows Scripting. Given the nature of Windows Scripting and support for VBScript, this vulnerability could be leveraged to provide a drive-by attack against users. This potential attack vector increases the risk and raises the criticality of this issue.
MS13-100
SharePoint have been patched frequently this year and Microsoft decided to give us one more patch before we finished the year. This patch fixes a vulnerability that could allow an authenticated user to run code in the context of the W3WP service.
MS13-101
Just like SharePoint, True-Type Font and Win32k.sys vulnerabilities have been popular this year. We’re wrapping up the year with 5 additional kernel-mode driver privilege escalations fixed by Microsoft in this bulletin.
MS13-102
This next bulletin is a reminder of why older operating systems need to go away (only 4 months until XP is out of support). Only Windows XP and Server 2003 are vulnerable to this and the attacker requires access to the system to exploit this privilege escalation vulnerability.
MS13-103
This bulletin contains a vulnerability titled “SignalR XSS Vulnerability” and it may end up competing for most annoying Microsoft patch to apply this year. There are two affected products here: ASP.NET SignalR and Visual Studio Team Foundation Server 2013. While TFS has a rather straightforward patch, the ASP.NET portion of the bulletin is worth paying attention to.
The proper fix for this issue is to download the SignalR Library update and rebuild your hosted ASP.NET applications. This is fine if you’re hosting your own applications but if your hosting for others then you’d better visit the download center and download the ASP.NET update that will work as an interim solution until your hosted applications are fixed.
MS13-104
MS13-104 falls into the category of “Microsoft fails at vulnerability classification”. The vulnerability looks harmless enough when it’s labeled as an “Information Disclosure” but when you dig in you realize that successful exploitation of the vulnerability could give the attacker full access to all your data stored on SharePoint. Keep that in mind when prioritizing this vulnerability, the risk to your environment may vary greatly.
MS13-105
Microsoft has patched Exchange a couple of times and we always see the same issues fixed, Oracle Outside In issues that were patched by Oracle a few months previous. This month is the same, fixing two CVEs that Oracle had previously patched. In addition, this bulletin fixes a two other issues, one of which is Cross-Site Scripting related.
MS13-106
The (hopefully) final bulletin of the year is a long expected fix to an ASLR bypass in hxds.dll (a component of office). While this vulnerability doesn’t lead to direct code execution, it has been used in many recent exploits as an ASLR bypass to lead to successful exploitation. Even though it’s a fairly unimportant vulnerability on it’s own, this should rank fairly high on the patches to apply list as it will mitigate existing exploit code for other vulnerabilities.
Additional Information
As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table
Automated Exploit
|
MS13-096 | ||||||
Easy
|
|||||||
Moderate
|
MS13-098 | ||||||
Difficult
|
|||||||
Extremely Difficult
|
MS13-105 | ||||||
No Known Exploit
|
MS13-104 MS13-106 |
MS13-097 MS13-099 |
MS13-103 | MS13-100 MS13-101 MS13-102 |
|||
Exposure
|
Local
Availability |
Local
Access |
Remote
Availability |
Remote
Access |
Local
Privileged |
Remote
Privileged |