VERT Alert Analysis for Microsoft Patch Tuesday – September 2013

Today’s VERT Alert addresses 13 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-527 on Wednesday, September 11th.

MS13-067

The first bulletin this month resolves 10 CVEs associated with SharePoint components. There’s a denial of service, a couple of XSS issues, and a number of memory corruption vulnerabilities but the one worth talking about is the MAC Disabled Vulnerability.

If an authenticated user were to manipulate the viewstate parameter, they could execute code under the W3WP service account. This becomes a number bigger risk when you consider that a number of people run their SharePoint servers without authentication.

The process for disabling authentication is well documented and greatly increases risk for enterprises that choose to implement it.

MS13-068

The single vulnerability in MS13-068 affects Microsoft Outlook 2007 and 2010. This S/MIME parsing vulnerability can be exploited via the preview pane; however, reliable exploit development seems unlikely based on Microsoft’s blog post [1].

Even if attackers sprint toward exploit development on this one, enterprises following a typical patch management process should have this patched before exploits are available.

MS13-069

The third bulletin this month contains the regularly scheduled Internet Explorer update. There’s not much to add since IE has become a regular on Patch Tuesday, so we’ll stick to the basics. Install this update as soon as your process allows.

MS13-070

This bulletin contains a single OLE vulnerability. OLE objects can be embedded in various Office documents and Microsoft has predicted [2] that the most likely attack vector will be Microsoft Visio. There is also an attack vector via Windows Explorer preview but it’s much more difficult to exploit.

MS13-071

Up next this month we have a bulletin that resolves a vulnerability in Microsoft theme files, the files that are responsible for how your computer looks and sounds. Opening a malicious theme file could lead to code execution.

MS13-072

This month’s Word bulletin is interesting in that many of the vulnerabilities are not unique to this bulletin. Of the 13 CVEs, 6 of them overlap with other bulletins this month.

Five of them with the SharePoint bulletin (specifically Office WebApps Word) and the final one is also fixed in MS13-073 (Excel) and MS13-078 (FrontPage).MS13-073

As mentioned above, MS13-073 is an Excel bulletin and is pretty standard as far Excel bulletins go. There are two caveats to consider on this bulletin though.

The first is that in order to fully patch Excel 2007 both the Excel 2007 and the Office Compatibility Pack updates must be installed. The second is that Excel Viewer must be updated to a supported version before the update will be offered. S13-074

Microsoft Office related bulletins were a noticeable trend this month and that trend continues with MS13-074. This bulletin resolves three CVEs affecting ACCDB files, an Access database file introduced in Access 2007.

MS13-075

YATOV (Yet Another Office Vulnerability) is patched in MS13-075. This one is specific to the Chinese IME that is installed with the Chinese version of Microsoft Office and available as an optional install for the English version of Microsoft office. The vulnerability could allow a user to run a binary with elevated privileges.

MS13-076

Since we’ve gathered most of the usual suspects this month, we might as well add one more. MS13-076 resolves 7 vulnerabilities affecting Win32k.sys. This bulletin runs the gamut of Windows versions from XP through to 2012, providing potential privilege escalations on each platform.

MS13-077

The vulnerability resolved by MS13-077 is slightly interesting. To exploit the vulnerability, you would require write access to the portion of the registry read by the Service Control Manager. Since most users shouldn’t have write access to the registry this should be mitigated for most end-user systems.

MS13-078

Nothing overly interesting to add for MS13-078 as it contains a single vulnerability, CVE-2013-3137. This is the information disclosure vulnerability patched for both Word and Excel.

The vulnerability allows an attacker to potentially read the contents of files on the local file system. This vulnerability is not unlike CVE-2013-1301, patched in MS13-044 for Microsoft Visio.

MS13-079

The final bulletin of the month contains a denial of service against Active Directory Services. A specially crafted LDAP request can cause the LDAP service to stop responding until the service or system is restarted.

As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.

Ease of Use (published exploits) to Risk Table