Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 8 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-523 on Wednesday, August 14th.

MS13-059

Internet Explorer Process Integrity Level Assignment Vulnerability CVE-2013-3186
EUC-JP Character Encoding Vulnerability CVE-2013-3192
Multiple Memory Corruption Vulnerabilities MULTIPLE

MS13-060

Uniscribe Font Parsing Engine Memory Corruption Vulnerability CVE-2013-3181

MS13-061

Oracle Outside In Contains Multiple Exploitable Vulnerabilities MULTIPLE

MS13-062

Remote Procedure Call Vulnerability CVE-2013-3175

MS13-063

ASLR Security Feature Bypass Vulnerability CVE-2013-2556
Windows Kernel Memory Corruption Vulnerabilities MULTIPLE

MS13-064

Windows NAT Denial of Service Vulnerability CVE-2013-3182

MS13-065

ICMPv6 Vulnerability CVE-2013-3183

MS13-066

AD FS Information Disclosure Vulnerability CVE-2013-3185

 

MS13-059

We start the month off just as we start every month, with an Internet Explorer patch. While the vulnerabilities aren’t overly interesting, the patch also includes a “defense-in-depth” update to resolve an ASLR bypass used at CanSecWest in the pwn2own competition.

MS13-060

A single vulnerability is patched in MS13-060, which could allow code execution via a font parsing error in the Unicode Scripts Processor (Uniscribe). Only Windows XP and Server 2003 systems are affected by this issue and, according to the Microsoft SR&D Risk Assessment [1], only when the Bangali font is installed.

MS13-061

The patch for MS13-061 exists because Oracle has released updates for Outside In, which is used with the Exchange WebReady Document Viewing and Data Loss Prevention features. This is a pretty common occurrence these days and anytime we see an Oracle Outside In patch, we should expect to see a related Microsoft Security Bulletin related to the same vulnerabilities.

MS13-062

The CVE in this vulnerability describes a race condition when handling RPC calls. When a user continually executes RPC commands, it is possible to send other RPC commands that may be executed in the context of the initial user. If that user has more permission, then the command could be executed with those increased permissions. Note that the attacker must be authenticated and sending RPC calls from the same system as the higher permission user.

MS13-063

This is perhaps the most interesting patch of the month as it resolves 4 CVEs, three of which are typical kernel memory corruption vulnerabilities. The fourth CVE is an ASLR bypass that first appeared at CanSecWest. Microsoft has released a blog post [2] detailing the bypass and the changes that the fix makes.

MS13-064

MS13-064 only affects Windows Server 2012. The single vulnerability referenced in the bulletin is an ICMP-based Denial of Service affecting the Windows NAT Driver. This driver is used when the Direct Access service is enabled which may increase the risk for Windows Server 2012 Essentials small business users.

MS13-065

A second ICMP Denial of Service vulnerability is fixed in MS13-065. This vulnerability affects multiple operating systems and exists within the TCP/IP stack and it’s handling of incoming ICMPv6 packets.

MS13-066

The final bulletin this month is an information disclosure that could ultimately lead to a denial of service. Active Directory Federation Services discloses information regarding to the service account name. This information could be used to perform a brute force attack against the server. If the server has an account lockout policy in place, the brute force attack could lock out the service account, which would, in turn, lock out all access to ADFS.

Additional Information

Microsoft has released [3] an update to deprecate MD5 when used with certificates issued under the Microsoft Root Certificate Program. This update is available in the download center but will be pushed out via Microsoft Update on February 11th, 2014. After installing the update, certificates using MD5 hashing (or that have parents that use MD5 hashing) will be considered untrusted.

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table:

Automated Exploit
Easy
Moderate
MS13-066
Difficult
MS13-063
Extremely Difficult
No Known Exploit
MS13-059
MS13-060
MS13-061
MS13-062
MS13-064
MS13-065
Exposure
Local
Availability
Local
Access
Remote
Availability
Remot
Access
Local
Privileged
Remote
Privileged

 

Related Articles:

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock