Beyondtrust

BeyondTrust Patch Tuesday

April 09, 2013

Microsoft Patch Tuesday

This month, Microsoft released nine patches that repair a total of 14 vulnerabilities. Of these vulnerabilities, there were three remote code execution vulnerabilities, eight elevation of privilege vulnerabilities, two denial of service vulnerabilities, and one information disclosure vulnerability.

Administrators are advised to patch MS13-028 and MS13-029 immediately to prevent exploitation by attackers. Next, administrators should patch MS13-030, MS13-031, MS13-032, MS13-033, MS13-034, MS13-035, and MS13-036 as soon as possible.

  • Web Event: Vulnerability Expert Forum - April 2013
  • Presenters: The BeyondTrust Research Team
  • Date/Time: Wednesday, April 10, 2013 1pm PT/ 4pm ET

BULLETIN / ADVISORY DETAILS

MS13-028

MS13-028


Microsoft Rating:

Critical

CVE List:

CVE-2013-1303 and CVE-2013-1304

 

Analysis:

This bulletin addresses two privately reported remote code execution vulnerabilities in Internet Explorer. The patch fixes two use after free vulnerabilities that occur when attempting to access in-memory objects that have been deleted. An attacker that successfully exploited these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS13-029

Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)


Microsoft Rating:

Critical

CVE:

CVE-2013-1296

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability in the Microsoft Remote Desktop Client. The patch fixes use-after-free vulnerability that occurs in the Remote Desktop Client ActiveX control, mstscax.dll when handling in-memory objects. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, prevent users from being able to use mstscax.dll, set kill bits for the remote desktop connection ActiveX control, and block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS13-030

Vulnerability in SharePoint Could Allow Information Disclosure (2827663)


Microsoft Rating:

Important

CVE:

CVE-2013-1290

 

Analysis:

This bulletin addresses a publicly reported information disclosure vulnerability in SharePoint Server 2013. The patch fixes a how SharePoint applies access controls to lists by default. An attacker that successfully exploited this vulnerability would be able to access lists on a SharePoint page that they would not normally be allowed to access.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, change the settings for users' personal document libraries so that they are explicitly denied access to "NT Authenticated\All users" and set permissions for every personal library to "Stop Inheriting Permissions".

 

MS13-031

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)


Microsoft Rating:

Important

CVE List:

CVE-2013-1284 and CVE-2013-1294

 

Analysis:

This bulletin addresses two privately reported elevation of privilege vulnerabilities in the Windows kernel. The patch fixes two occurrences of improper handling of in-memory objects within the kernel. A local attacker that successfully exploited these vulnerabilities would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-032

Vulnerability in Active Directory Could Lead to Denial of Service (2830914)


Microsoft Rating:

Important

CVE:

CVE-2013-1282

 

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in Active Directory. The patch fixes the way Active Directory handles certain LDAP queries. An authenticated attacker that successfully exploited this vulnerability could cause the Active Directory server to exhaust its memory, causing a denial of service condition.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-033

Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)


Microsoft Rating:

Important

CVE:

CVE-2013-1295

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS). The patch fixes an improper handling of in-memory objects. A local attacker that successfully exploited this vulnerability on XP 64-bit or Windows Server 2003 would be able to execute code in the context of the local system, or cause a denial of service condition in XP, Vista, and Server 2008.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-034

Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)


Microsoft Rating:

Important

CVE:

CVE-2013-0078

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the Microsoft Antimalware Client. The patch fixes how the Microsoft Antimalware Client handles invalid pathnames. An attacker that successfully exploited this vulnerability would gain the ability to execute code in the context of the LocalSystem account.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, use the registry editor to fix the image pathname of Windows Defender on Windows 8 and Windows RT systems.

 

MS13-035

Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818)


Microsoft Rating:

Important

CVE:

CVE-2013-1289

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the HTML Sanitization Component. The patch fixes a vulnerability that could allow cross-site scripting. An attacker that successfully exploited this vulnerability would be able to execute arbitrary scripts in the context of a currently logged on user that opened the attacker's malicious link.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-036

Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)


Microsoft Rating:

Important

CVE List:

CVE-2013-1283, CVE-2013-1291, CVE-2013-1292, and CVE-2013-1293

 

Analysis:

This bulletin addresses three privately reported and one publicly reported elevation of privilege vulnerability in a Windows kernel-mode driver. The patch fixes an improper handling of in-memory objects. A local attacker that successfully exploited the NULL pointer dereference vulnerability, CVE-2013-1293, would gain the ability execute arbitrary code within the kernel.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available for CVE-2013-1283, CVE-2013-1292, or CVE-2013-1293. Until the patch can be installed, the most likely attack vectors for CVE-2013-1291 can be mitigated by preventing the WebClient service from running and blocking ports 139 and 445 at the perimeter firewall.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.