Skip to content ↓ | Skip to navigation ↓

Today’s VERT Alert addresses 7 new Microsoft Security Bulletins. VERT (Tripwire’s Vulnerability and Exposures Research Team) is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-518 on Wednesday, July 10th.

MS13-052

TrueType Font Parsing Vulnerability CVE-2013-3129
Array Access Violation Vulnerability CVE-2013-3131
Delegate Reflection Bypass Vulnerability CVE-2013-3132
Anonymous Method Injection Vulnerability CVE-2013-3133
Array Allocation Vulnerability CVE-2013-3134
Delegate Serialization Vulnerability CVE-2013-3171
Null Pointer Vulnerability CVE-2013-3178

MS13-053

Win32k Memory Allocation Vulnerability CVE-2013-1300
Win32k Dereference Vulnerability CVE-2013-1340
Win32k Vulnerability CVE-2013-1345
TrueType Font Parsing Vulnerability CVE-2013-3129
Win32k Information Disclosure Vulnerability CVE-2013-3167
Win32k Buffer Overflow Vulnerability CVE-2013-3172
Win32k Buffer Overflow Vulnerability CVE-2013-3173
Win32k Read AV Vulnerability CVE-2013-3660

MS13-054

TrueType Font Parsing Vulnerability CVE-2013-3129

MS13-055

Shift JIS Character Encoding Vulnerability CVE-2013-3166
Multiple Memory Corruption Vulnerabilities in Internet Explorer MULTIPLE

MS13-056

DirectShow Arbitrary Memory Overwrite Vulnerability CVE-2013-3174

MS13-057

WMV Video Decoder Remote Code Execution Vulnerability CVE-2013-3127

MS13-058

Microsoft Windows 7 Defender Improper Pathname Vulnerability CVE-2013-3154

 

MS13-052

The first bulletin this month contains 7 CVEs affecting .NET and Silverlight. Due to the inclusion of Silverlight this has a drive-by attack vector for both Windows and Mac users. This is also the first of 3 bulletins this month to include a fix for CVE-2013-3129.  If you were to split out the top three patches to install, this one would be included in that group. It is also important to note that there are different patches for .NET and Silverlight; so multiple patches may need to be installed

MS13-053

This month’s second bulletin contains a couple of points worth mentioning. First, it includes the publicly discussed CVE-2013-3660, which has already been included in known exploit frameworks. This bulletin is also the second this month to include CVE-2013-3129. Given the multiple attack vectors for this CVE, it’s likely that it will be a popular choice for exploit authors. This patch would be the second to be included in our Top 3 list of patches to install this month.

MS13-054

The third bulletin this month is the final bulletin to include a fix for CVE-2013-3129; unfortunately it’s also one of the messier bulletins as Windows, Office, Visual Studio .NET, and Microsoft Lync all appear in the affected software list. Be sure to apply all required patches to your systems.

MS13-055

Bulletin number four this month is the bulletin that normally starts us off, Internet Explorer. This much, much like last month, is a rather large list of vulnerabilities. In total, 17 CVEs are patched in today’s IE update. Given the popularity of IE and IE-related exploits, it is advisable to install this patch as soon as possible… it would definitely be the final patch in our Top 3 list.

MS13-056

MS13-056 is an interesting bulletin because there are no known Microsoft products that provide an attack surface to access the vulnerabilities. Instead, the vulnerability is exposed via third-party products that use the Microsoft DirectShow libraries to process GIFs. Thankfully, these third-party products don’t need to be updated individually… applying the patch found in this bulletin will resolve the issue.

MS13-057

The second last bulletin this month resolves a single vulnerability affect Windows Media Player’s WMV decoder. The important piece of information to note here are the numerous (6) footnotes on the affected software list indicating when specific updates are offered. This is important information to consider when ensuring that all systems are properly patched.

MS13-058

The final bulletin this month is reminiscent of Security Advisory 2846338 released in May. The style of attack is similar but instead of affecting Microsoft Malware Protection Engine (as the advisory in May did), this month’s bulletin discussed Windows Defender. This attack has a very low barrier to entry but requires write permission to the root of the system drive. Ideally, in most situations, end-users will not have permission to do that in enterprise environments, which will limit the successful exploitation of this vulnerability.

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table

Automated Exploit

MS13-053

Easy

Moderate

MS13-058

Difficult

Extremely Difficult

MS13-052

No Known Exploit

MS13-054MS13-056MS13-057 MS13-055

Exposure

Local Availability

Local Access

Remote Availability

Remote Access

Local Privileged

Remote Privileged

From Craig Young, Tripwire security researcher:

  • “Microsoft is taking a big step toward minimizing vulnerable applications in their various app stores. Under the new policy, any app in any of the four app stores will be given 180 days to resolve reported code execution bugs. This policy applies to 3rd party developers as well as Microsoft’s own applications and is a great addition to Microsoft’s existing policy of scanning and reviewing app submissions.”
  • “Internet Explorer vulnerabilities this month made up exactly half of the CVEs addressed in the July bulletin. This is particularly alarming because 16 of the 17 issues addressed are memory corruption vulnerabilities — many of which Microsoft expects could be reliably exploited in the next 30 days.  What’s more, this comes on the heels of a particularly large June Internet Explorer update.”
  • “Font processing took a big hit this month. Three advisories are being released to address TTF parsing issues which could be used in drive-by-downloads or other attacks leading code execution. One such vulnerability is particularly bad as it exists within kernel-space and can allow code execution in the SYSTEM context.”

From Tyler Reguly, technical manager of security research and development at Tripwire:

  • “The thing that jumps out this month is the repeated mention of a CVE-2013-3129 in three bulletins. This is important to note — everyone should ensure they are fully patched against this vulnerability.”
  • “With so many critical bulletins, it’s difficult to determine a solid patch priority. Luckily, there’s safety in the known, so customers should patch Internet Explorer first, a common theme for Microsoft patch drops.”
  • “Microsoft is patching a public vulnerability patched in MS13-050 and anything that is already public deserves extra attention, so apply the MS13-053 patch as soon as you’re finished applying  MS13-055.”

Related Articles:

P.S. Have you met John Powers, supernatural CISO?

 

Title image courtesy of ShutterStock