Beyondtrust

BeyondTrust Patch Tuesday

February 12, 2013

Microsoft Patch Tuesday

This month, Microsoft released 12 patches that repair a total of 57 vulnerabilities. Of these vulnerabilities, there were 18 remote code execution vulnerabilities, 35 elevation of privilege vulnerabilities, three denial-of-service vulnerabilities, and one information disclosure vulnerability.

Administrators are advised to patch MS13-009, MS13-010, MS13-011, MS13-012, and MS13-020 immediately to prevent exploitation by attackers. Next, administrators should patch MS13-013, MS13-014, MS13-015, MS13-016, MS13-017, MS13-018, and MS13-019 as soon as possible.

  • Web Event: Vulnerability Expert Forum - February 2013
  • Presenters: BeyondTrust Research Team
  • Date/Time: February 13, 2013 at 1:00 PM - 2:00 PM PST

BULLETIN / ADVISORY DETAILS

MS13-009

Cumulative Security Update for Internet Explorer (2792100)


Microsoft Rating:

Critical

CVE List:

CVE-2013-0015, CVE-2013-0018, CVE-2013-0019, CVE-2013-0020, CVE-2013-0021, CVE-2013-0022, CVE-2013-0023, CVE-2013-0024, CVE-2013-0025, CVE-2013-0026, CVE-2013-0027, CVE-2013-0028, and CVE-2013-0029

 

Analysis:

This bulletin addresses 13 privately reported vulnerabilities in Internet Explorer, composed of 12 remote code execution vulnerabilities and one information disclosure vulnerability. The patch fixes multiple use-after-free vulnerabilities that occur when handling objects in memory, and fixes a character encoding vulnerability as well. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS13-010

Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2797052)


Microsoft Rating:

Critical

CVE:

CVE-2013-0030

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Vector Markup Language. The patch fixes a memory corruption vulnerability that occurs when handling in-memory objects. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, read emails in plain text.

 

MS13-011

Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091)


Microsoft Rating:

Critical

CVE:

CVE-2013-0077

 

Analysis:

This bulletin addresses a publicly reported remote code execution vulnerability in DirectShow's Media Decompression mechanism. The patch fixes how certain media content is handled that occurs when playing embedded media files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, restrict access to quartz.dll through the use of CACLs.

 

MS13-012

Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2809279)


Microsoft Rating:

Critical

CVE List:

CVE-2013-0393 and CVE-2013-0418

 

Analysis:

This bulletin addresses two publicly reported vulnerabilities in Microsoft Exchange, composed of a remote code execution vulnerability and a denial of service vulnerability. The patch fixes two vulnerabilities in the Oracle Outside In library used by the WebReady Document Viewing feature of Exchange, specifically fixing the Paradox DB file parsers. An attacker that successfully exploited the remote code execution vulnerability would gain the ability to execute code in the context of the LocalService account on the targeted Exchange server.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, disable the WebReady Document Viewing feature.

 

MS13-013

Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2784242)


Microsoft Rating:

Important

CVE List:

CVE-2012-3214 and CVE-2012-3217

 

Analysis:

This bulletin addresses two publicly reported remote code execution vulnerabilities in FAST Search Server 2010 for SharePoint. The patch fixes two vulnerabilities in Oracle Outside In libraries that are used by the Advanced Filter Pack within FAST Search Server. An attacker that successfully exploited these vulnerabilities would gain the ability to execute arbitrary code in the context of a user account on the SharePoint server with a restricted token.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, turn off the Advanced Filter Pack feature of FAST Search Server.

 

MS13-014

Vulnerability in NFS Server Could Allow Denial of Service (2790978)


Microsoft Rating:

Important

CVE:

CVE-2013-1281

 

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in NFS Server. The patch fixes a NULL dereference vulnerability that occurs when handling certain file operations. An authenticated attacker that successfully exploited this vulnerability would be able to cause the targeted server to stop responding and restart.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-015

Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277)


Microsoft Rating:

Important

CVE:

CVE-2013-0073

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the .NET Framework. The patch fixes an issue that occurs when permissions of a callback function are improperly elevated upon the creation of a particular WinForms object. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block XAML browser applications from running in Internet Explorer.

 

MS13-016

Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778344)


Microsoft Rating:

Important

CVE List:

CVE-2013-1248, CVE-2013-1249, CVE-2013-1250, CVE-2013-1251, CVE-2013-1252, CVE-2013-1253, CVE-2013-1254, CVE-2013-1255, CVE-2013-1256, CVE-2013-1257, CVE-2013-1258, CVE-2013-1259, CVE-2013-1260, CVE-2013-1261, CVE-2013-1262, CVE-2013-1263, CVE-2013-1264, CVE-2013-1265, CVE-2013-1266, CVE-2013-1267, CVE-2013-1268, CVE-2013-1269, CVE-2013-1270, CVE-2013-1271, CVE-2013-1272, CVE-2013-1273, CVE-2013-1274, CVE-2013-1275, CVE-2013-1276, and CVE-2013-1277

 

Analysis:

This bulletin addresses 30 privately reported elevation of privilege vulnerabilities in a Windows Kernel-Mode Driver. The patch fixes many race conditions that occur when handling objects in memory. A local attacker that successfully exploited any of these vulnerabilities would be able to elevate their privileges and read arbitrary amounts of memory from the kernel.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-017

Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494)


Microsoft Rating:

Important

CVE List:

CVE-2013-1278, CVE-2013-1279, and CVE-2013-1280

 

Analysis:

This bulletin addresses three privately reported elevation of privilege vulnerabilities in the Windows Kernel. The patch fixes two race condition vulnerabilities and a kernel reference counting vulnerability, all of which occur when failing to properly handle certain objects in memory. A local attacker that successfully exploited any of these vulnerabilities would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-018

Vulnerability in TCP/IP Could Allow Denial of Service (2790655)


Microsoft Rating:

Important

CVE:

CVE-2013-0075

 

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in the Windows TCP/IP implementation. The patch fixes a vulnerability that occurs when handling termination sequences of TCP streams. An unauthenticated attacker that successfully exploited this vulnerability would be able to cause the target system to exhaust its resources, resulting in a denial of service to new users trying to connect to the system.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-019

Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)


Microsoft Rating:

Important

CVE:

CVE-2013-0076

 

Analysis:

This bulletin addresses a publicly reported elevation of privilege vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS). The patch fixes how CSRSS handles in-memory objects, specifically regarding an issue with properly tracking a reference count. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-020

Vulnerability in OLE Automation Could Allow Remote Code Execution (2802968)


Microsoft Rating:

Critical

CVE:

CVE-2013-1313

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in OLE Automation. The patch fixes how memory is allocated when parsing specially constructed files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be applied, block Office and WordPad files from untrusted sources and use MOICE when opening RTF files that are not from trusted sources. Additionally, block ActiveX controls from being executed within Office 2007/2010. Finally, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.