Beyondtrust

BeyondTrust Patch Tuesday

December 10, 2013

Microsoft Patch Tuesday

This month, Microsoft released 11 patches that repair a total of 24 vulnerabilities. Of these vulnerabilities, there were 12 remote code execution vulnerabilities, eight elevation of privilege vulnerabilities, two denial of service vulnerabilities, one information disclosure vulnerability, and one security bypass vulnerability.

Administrators are advised to patch MS13-096, MS13-097, MS13-099, MS13-098, and MS13-105 immediately to prevent exploitation by attackers. Next, administrators should patch MS13-100, MS13-101, MS13-102, MS13-104, and MS13-106 as soon as possible. Lastly, administrators should patch MS13-103 at their earliest convenience.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: BeyondTrust Research Team
  • Date/Time: Wednesday, December 11, 2013 1pm PT/ 4pm ET

BULLETIN / ADVISORY DETAILS

MS13-096

Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-3906

 

Analysis:

This bulletin addresses a publicly disclosed remote code execution in GDI+. The patch fixes a memory corruption vulnerability that occurs when parsing TIFF files. An attacker that successfully exploited this vulnerability in Windows would gain system level access to the target machine, while exploits of userland applications would grant the attacker user level access to the machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, disable the TIFF codec and disable data collaboration in Lync. Note: attacks targeting this vulnerability have been seen in the wild.

 

MS13-097

Cumulative Security Update for Internet Explorer


Microsoft Rating:

Critical

CVE List:

CVE-2013-5045, CVE-2013-5046, CVE-2013-5047, CVE-2013-5048, CVE-2013-5049, CVE-2013-5051, and CVE-2013-5052

 

Analysis:

This bulletin addresses seven privately reported vulnerabilities in Internet Explorer: five memory corruptions and two elevation of privilege vulnerabilities. The patch fixes memory corruptions and permission verification issues that occur when browsing various web pages. An attacker that successfully exploited the memory corruption vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; no mitigation is available for the elevation of privilege vulnerabilities. Until the patch can be installed, the memory corruption vulnerabilities can be mitigated by blocking ActiveX controls and blocking/disabling Active Scripting in both Internet and Local intranet zones.

 

MS13-098

Vulnerability in Windows Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-3900

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Windows. The patch fixes a failure to properly validate signatures when using WinVerifyTrust. An attacker that successfully exploited this vulnerability would be able to modify a signed executable without invalidating the executable's signature. This would be useful in social engineering scenarios.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available. Note: attacks targeting this vulnerability have been seen in the wild.

 

MS13-099

Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-5056

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the Windows Scripting Runtime. The patch fixes a memory corruption vulnerability that occurs when executing certain scripts. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; no mitigation is available.

 

MS13-100

Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE:

CVE-2013-5059

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft SharePoint Server. The patch fixes how page contents are sanitized. An attacker that successfully exploited this vulnerability would gain the ability to execute arbitrary code in the context of the W3WP service account on the vulnerable machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-101

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE List:

CVE-2013-3899, CVE-2013-3902, CVE-2013-3903, CVE-2013-3907, and CVE-2013-5058

 

Analysis:

This bulletin addresses five privately reported vulnerabilities in Windows kernel-mode drivers: three elevation of privilege vulnerabilities and two denial of service vulnerabilities. The patch fixes a memory corruption vulnerability, a use after free vulnerability, a font parsing vulnerability, a double fetch vulnerability, and an integer overflow vulnerability. An attacker that successfully exploited one of the privilege elevation vulnerabilities would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-102

Vulnerability in LRPC Client Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE:

CVE-2013-3878

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the Local RPC Client. The patch fixes a buffer overflow that manifests when the LPC client and LPC server exchange port messages. A local attacker that successfully exploited this vulnerability would elevate their privileges on the system.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-103

Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE:

CVE-2013-5042

 

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in ASP.NET SignalR. The patch fixes cross-site scripting vulnerability that occurs when encoding user input. An attacker that successfully exploited this vulnerability would be able to perform actions on behalf of another user on the affected site.

 

Recommendation:

Deploy patches at the earliest convenience; no mitigation is available for Visual Studio Team Foundation Server. Until the patch can be installed, ASP.NET SignalR installations can be protected by disabling the ASP.NET SignalR Forever Frame transport protocol.

 

MS13-104

Vulnerability in Microsoft Office Could Allow Information Disclosure


Microsoft Rating:

Important

CVE:

CVE-2013-5054

 

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in Microsoft Office. The patch fixes a token hijacking vulnerability that occurs when handling responses while attempting to open Office documents hosted on attacker-control websites. An attacker that successfully exploited this vulnerability would gain the target's access token, which would allow them to authenticate against other Office servers, such as a SharePoint site the user has access to.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available. Note: attacks targeting this vulnerability have been seen in the wild.

 

MS13-105

Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE List:

CVE-2013-5763, CVE-2013-5791, CVE-2013-1330, and CVE-2013-5072

 

Analysis:

This bulletin addresses three publicly disclosed and one privately vulnerabilities in Microsoft Exchange: three remote code execution vulnerabilities and an elevation of privilege vulnerability. The patch fixes a couple Oracle Outside In vulnerabilities, a MAC disabled vulnerability that also occurred in SharePoint earlier this year, and a cross-site scripting vulnerability in Outlook Web Access. An attacker that successfully exploited any the remote code execution vulnerabilities would gain the ability to execute arbitrary code on the server in either the LocalService account or the Outlook Web Access service account, depending on the vulnerability chosen.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; no mitigation is available for the MAC disabled vulnerability or the cross-site scripting vulnerability. Until the patch can be installed, the Oracle Outside In vulnerabilities can be mitigated by disabling data loss prevention in Exchange 2013, and disabling WebReady document view in Exchange 2007/2010/2013.

 

MS13-106

Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass


Microsoft Rating:

Important

CVE:

CVE-2013-5057

 

Analysis:

This bulletin addresses a publicly reported ASLR bypass vulnerability in a shared Microsoft Office component. The patch enables ASLR protections for a component of Microsoft Office. An attacker that successfully exploited this vulnerability would be able to bypass ASLR protections while exploiting a secondary vulnerability on the affected system.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available. Note: attacks targeting this vulnerability have been seen in the wild.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.