VERT Alert Analysis for Microsoft Patch Tuesday – September 2013

Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-527 on Wednesday, September 11th.
SharePoint Denial of Service Vulnerability | CVE-2013-0081 | |
Microsoft Office Memory Corruption Vulnerability | CVE-2013-1315 | |
MAC Disabled Vulnerability | CVE-2013-1330 | |
SharePoint XSS Vulnerability | CVE-2013-3179 | |
POST XSS Vulnerability | CVE-2013-3180 | |
Multiple Memory Corruption Vulnerabilities in Word | MULTIPLE | |
Message Certificate Vulnerability | CVE-2013-3870 | |
Multiple Memory Corruption Vulnerabilities in Internet Explorer | MULTIPLE | |
OLE Property Vulnerability | CVE-2013-3863 | |
Windows Theme File Remote Code Execution Vulnerability | CVE-2013-0810 | |
XML External Entities Resolution Vulnerability | CVE-2013-3160 | |
Multiple Memory Corruption Vulnerabilities | MULTIPLE | |
Microsoft Office Memory Corruption Vulnerability | CVE-2013-1315 | |
Microsoft Office Memory Corruption Vulnerability | CVE-2013-3158 | |
XML External Entities Resolution Vulnerability | CVE-2013-3159 | |
Multiple Access Memory Corruption Vulnerabilities | MULTIPLE | |
Chinese IME Vulnerability | CVE-2013-3859 | |
Multiple Win32k Multiple Fetch Vulnerabilities | MULTIPLE | |
Win32k Elevation of Privilege Vulnerability | CVE-2013-3866 | |
Service Control Manager Double Free Vulnerability | CVE-2013-3862 | |
XML Disclosure Vulnerability | CVE-2013-3137 | |
Remote Anonymous DoS Vulnerability | CVE-2013-3868 |
MS13-067
The first bulletin this month resolves 10 CVEs associated with SharePoint components. There’s a denial of service, a couple of XSS issues, and a number of memory corruption vulnerabilities but the one worth talking about is the MAC Disabled Vulnerability.
If an authenticated user were to manipulate the viewstate parameter, they could execute code under the W3WP service account. This becomes a number bigger risk when you consider that a number of people run their SharePoint servers without authentication.
The process for disabling authentication is well documented and greatly increases risk for enterprises that choose to implement it.
MS13-068
The single vulnerability in MS13-068 affects Microsoft Outlook 2007 and 2010. This S/MIME parsing vulnerability can be exploited via the preview pane; however, reliable exploit development seems unlikely based on Microsoft’s blog post [1].
Even if attackers sprint toward exploit development on this one, enterprises following a typical patch management process should have this patched before exploits are available.
MS13-069
The third bulletin this month contains the regularly scheduled Internet Explorer update. There’s not much to add since IE has become a regular on Patch Tuesday, so we’ll stick to the basics. Install this update as soon as your process allows.
MS13-070
This bulletin contains a single OLE vulnerability. OLE objects can be embedded in various Office documents and Microsoft has predicted [2] that the most likely attack vector will be Microsoft Visio. There is also an attack vector via Windows Explorer preview but it’s much more difficult to exploit.
MS13-071
Up next this month we have a bulletin that resolves a vulnerability in Microsoft theme files, the files that are responsible for how your computer looks and sounds. Opening a malicious theme file could lead to code execution.
MS13-072
This month’s Word bulletin is interesting in that many of the vulnerabilities are not unique to this bulletin. Of the 13 CVEs, 6 of them overlap with other bulletins this month.
Five of them with the SharePoint bulletin (specifically Office WebApps Word) and the final one is also fixed in MS13-073 (Excel) and MS13-078 (FrontPage).MS13-073
As mentioned above, MS13-073 is an Excel bulletin and is pretty standard as far Excel bulletins go. There are two caveats to consider on this bulletin though.
The first is that in order to fully patch Excel 2007 both the Excel 2007 and the Office Compatibility Pack updates must be installed. The second is that Excel Viewer must be updated to a supported version before the update will be offered. S13-074
Microsoft Office related bulletins were a noticeable trend this month and that trend continues with MS13-074. This bulletin resolves three CVEs affecting ACCDB files, an Access database file introduced in Access 2007.
MS13-075
YATOV (Yet Another Office Vulnerability) is patched in MS13-075. This one is specific to the Chinese IME that is installed with the Chinese version of Microsoft Office and available as an optional install for the English version of Microsoft office. The vulnerability could allow a user to run a binary with elevated privileges.
MS13-076
Since we’ve gathered most of the usual suspects this month, we might as well add one more. MS13-076 resolves 7 vulnerabilities affecting Win32k.sys. This bulletin runs the gamut of Windows versions from XP through to 2012, providing potential privilege escalations on each platform.
MS13-077
The vulnerability resolved by MS13-077 is slightly interesting. To exploit the vulnerability, you would require write access to the portion of the registry read by the Service Control Manager. Since most users shouldn’t have write access to the registry this should be mitigated for most end-user systems.
MS13-078
Nothing overly interesting to add for MS13-078 as it contains a single vulnerability, CVE-2013-3137. This is the information disclosure vulnerability patched for both Word and Excel.
The vulnerability allows an attacker to potentially read the contents of files on the local file system. This vulnerability is not unlike CVE-2013-1301, patched in MS13-044 for Microsoft Visio.
MS13-079
The final bulletin of the month contains a denial of service against Active Directory Services. A specially crafted LDAP request can cause the LDAP service to stop responding until the service or system is restarted.
Additional InformationAs always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table
Automated Exploit
|
|||||||
Easy
|
|||||||
Moderate
|
|||||||
Difficult
|
|||||||
Extremely Difficult
|
|||||||
No Known Exploit
|
MS13-078 | MS13-068 MS13-069 MS13-070 MS13-071 MS13-072 MS13-073 MS13-074 |
MS13-079 | MS13-075 MS13-076 MS13-077 |
MS13-067 | ||
Exposure
|
Local
Availability |
Local
Access |
Remote
Availability |
Remot
Access |
Local
Privileged |
Remote
Privileged |
[1] http://blogs.technet.com/b/srd/archive/2013/09/10/ms13-068-a-difficult-to-exploit-double-free-in-outlook.aspx
[2] http://blogs.technet.com/b/srd/archive/2013/09/10/assessing-risk-for-the-september-2013-security-updates.aspx
Related Articles:
- Wireless Pen Testing and Assessments
- Your Enterprise Vulnerability Management Reality Check
- Vulnerabilities in Application Whitelisting
- The OWASP Top Ten and Vulnerability Management
P.S. Have you met John Powers, supernatural CISO?
Title image courtesy of ShutterStock