Beyondtrust

BeyondTrust Patch Tuesday

November 12, 2013

Microsoft Patch Tuesday

This month, Microsoft released eight patches that repair a total of 19 vulnerabilities. Of these vulnerabilities, there were 13 remote code execution vulnerabilities, four information disclosure vulnerabilities, an elevation of privilege vulnerability, and a denial of service vulnerability.

Administrators are advised to patch MS13-088, MS13-089, and MS13-090 immediately to prevent exploitation by attackers. Next, administrators should patch MS13-091, MS13-092, MS13-093, MS13-094, and MS13-095 as soon as possible.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: BeyondTrust Research Team
  • Date/Time: Wednesday, November 12, 2013 1pm PT/ 4pm ET

BULLETIN / ADVISORY DETAILS

MS13-088

Cumulative Security Update for Internet Explorer


Microsoft Rating:

Critical

CVE List:

CVE-2013-3871, CVE-2013-3908, CVE-2013-3909, CVE-2013-3910, CVE-2013-3911, CVE-2013-3912, CVE-2013-3914, CVE-2013-3915, CVE-2013-3916, and CVE-2013-3917

 

Analysis:

This bulletin addresses ten privately reported vulnerabilities in Internet Explorer: eight remote code execution vulnerabilities and two information disclosure vulnerabilities. The patch fixes both memory corruptions and information disclosures that manifest when parsing malicious web pages. An attacker that successfully exploited one of the memory corruption vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, avoid use of the print preview feature, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones. No workaround is available for CVE-2013-3909 (one of the two information disclosure vulnerabilities).

 

MS13-089

Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-3940

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the Graphics Device Interface (GDI). The patch fixes an integer overflow vulnerability that occurs when parsing malicious WordPad files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, restrict use of the Word 6 converter by disabling access to mswrd8.wpc, and do not open any untrustworthy or suspicious .wri files with WordPad.

 

MS13-090

Cumulative Security Update of ActiveX Kill Bits


Microsoft Rating:

Critical

CVE:

CVE-2013-3918

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the InformationCardSigninHelper ActiveX control. The patch sets killbits for the affected control, icardie.dll, disabling its use. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; this is currently being exploited in the wild. Until the patch can be installed, manually set the killbits for the affected components (19916e01-b44e-4e31-94a4-4696df46157b, c2c4f00a-720e-4389-aeb9-e9c4b0d93c6f, and 53001f3a-f5e1-4b90-9c9f-00e09b53c5f1) using the Windows registry.

 

MS13-091

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-0082, CVE-2013-1324, and CVE-2013-1325

 

Analysis:

This bulletin addresses three privately reported remote code execution vulnerability in Microsoft Word. The patch fixes a WPD file format memory corruption, a stack buffer overwrite vulnerability, and a heap overwrite vulnerability that occur when parsing WordPerfect documents. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, block access to the affected WordPerfect file converters (wpft532.cnv and wpft632.cnv) and avoid opening WordPerfect files that are unexpectedly received or suspicious.

 

MS13-092

Vulnerability in Hyper-V Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE:

CVE-2013-3898

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in Hyper-V that can also be used as a denial of service vulnerability. The patch fixes how Hyper-V sanitizes user input from the guest machines. An attacker in a guest virtual machine that successfully exploited this vulnerability would gain the ability to crash the host system, and thereby all guests on the host, as well as the ability to execute arbitrary code on other guest machines on the host machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-093

Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure


Microsoft Rating:

Important

CVE:

CVE-2013-3887

 

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in the Windows ancillary function driver. The patch fixes memory disclosure vulnerability that occurs when copying data between the kernel and user land. A local attacker that successfully exploited this vulnerability could view data in the kernel from userland, which would be useful when coupled with a secondary exploit to gain elevated privileges on the system.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available other than avoiding opening suspicious/unexpected executables.

 

MS13-094

Vulnerability in Microsoft Outlook Could Allow Information Disclosure


Microsoft Rating:

Important

CVE:

CVE-2013-3905

 

Analysis:

This bulletin addresses a publicly reported information disclosure vulnerability in Outlook. The patch fixes how S/MIME certificate metadata is expanded. An attacker that successfully exploited this vulnerability would gain the victim's IP address and discover which TCP ports are open on the system.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, disable the Reading Pane to mitigate the automatic processing of S/MIME certificates. However, this will not prevent S/MIME certificates from being processed if the user manually opens an email message.

 

MS13-095

Vulnerability in Digital Signatures Could Allow Denial of Service


Microsoft Rating:

Important

CVE:

CVE-2013-3869

 

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in the way Windows processes digital signatures. The patch fixes how X.509 certificates are validated. An attacker that successfully exploited this vulnerability would be able to crash any service processing X.509 certificates, such as a web service.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.