Beyondtrust

BeyondTrust Patch Tuesday

October 08, 2013

Microsoft Patch Tuesday

This month, Microsoft released eight patches that repair a total of 26 unique CVEs. Of these vulnerabilities, there were 17 remote code execution vulnerabilities, six elevation of privilege vulnerabilities, two denial of service vulnerabilities, and one information disclosure vulnerability.

Administrators are advised to patch MS13-080, MS13-081, and MS13-083 immediately to prevent exploitation by attackers. Next, administrators should patch MS13-082, MS13-084, MS13-085, and MS13-086 as soon as possible. Lastly, administrators should patch MS13-087 at their earliest convenience.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: BeyondTrust Research Team
  • Date/Time: Wednesday, October 9, 2013 1pm PT/ 4pm ET

BULLETIN / ADVISORY DETAILS

MS13-080

Cumulative Security Update for Internet Explorer


Microsoft Rating:

Critical

CVE List:

CVE-2013-3871, CVE-2013-3872, CVE-2013-3873, CVE-2013-3874, CVE-2013-3875, CVE-2013-3882, CVE-2013-3885, CVE-2013-3886, CVE-2013-3893, and CVE-2013-3897

 

Analysis:

This bulletin addresses one publicly disclosed and nine privately reported remote code execution vulnerabilities in Internet Explorer. The patch fixes ten memory corruption vulnerabilities that occur when parsing specially crafted web pages. An attacker that successfully exploited any of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Both CVE-2013-3893 and CVE-2013-3897 are being actively exploited in the wild. Until the patch can be installed, install the Microsoft Fix it solution for CVE-2013-3893. Additionally, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS13-081

Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE List:

CVE-2013-3128, CVE-2013-3200, CVE-2013-3879, CVE-2013-3880, CVE-2013-3881, CVE-2013-3888, and CVE-2013-3894

 

Analysis:

This bulletin addresses seven privately reported vulnerabilities in Windows kernel-mode drivers: two remote code execution vulnerabilities and five elevation of privilege vulnerabilities. The patch fixes two font parsing vulnerabilities, three memory corruptions, a use after free, and a double fetch vulnerability. An attacker that successfully exploited either of the font parsing vulnerabilities vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, mitigate the two font parsing vulnerabilities by disabling access to the Preview Pane and Details Pane in Windows Explorer. No mitigation is available for the other five vulnerabilities.

 

MS13-082

Vulnerabilities in .NET Framework Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE List:

CVE-2013-3128, CVE-2013-3860, and CVE-2013-3861

 

Analysis:

This bulletin addresses a publicly disclosed denial of service vulnerability, a privately reported remote code execution vulnerability, and a privately reported denial of service vulnerability in the .NET Framework. The patch fixes font parsing vulnerability, an entity expansion vulnerability, and a JSON parsing vulnerability. An attacker that successfully exploited the OpenType font parsing vulnerability would gain access to the target machine with the same rights as the exploited .NET application.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-083

Vulnerability in Windows Common Control Library Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-3195

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in the Windows common control library. The patch fixes an integer overflow in comctl32.dll that occurs within the DSA_InsertItem function. An attacker that successfully exploited this vulnerability would gain access to the target machine with the same rights as the exploited application.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; no mitigation is available.

 

MS13-084

Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-3889 and CVE-2013-3895

 

Analysis:

This bulletin addresses two privately reported vulnerabilities in SharePoint: a remote code execution vulnerability and a cross-site scripting vulnerability. The patch fixes a memory corruption and a parameter injection vulnerability. An attacker that successfully exploited the remote code execution vulnerability would gain access to the target machine with the same rights as the Excel SharePoint service.

 

Recommendation:

Deploy patches as soon as possible; no reasonable mitigations are available.

 

MS13-085

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-3889 and CVE-2013-3890

 

Analysis:

This bulletin addresses two privately reported remote code execution vulnerabilities in Microsoft Excel. The patch fixes two memory corruption vulnerabilities that occur when parsing specially crafted Excel documents. An attacker that successfully exploited either of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be applied, block Office Excel binary files (.xla, .xlb, .xlm, .xls, .xlt, and .xlw file extensions) and use MOICE when opening .xls, .xlt, and .xla files.

 

MS13-086

Vulnerabilities in Microsoft Word Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-3891 and CVE-2013-3892

 

Analysis:

This bulletin addresses two privately reported remote code execution vulnerabilities in Microsoft Word. The patch fixes two memory corruption vulnerabilities that occur when parsing specially crafted Word documents. An attacker that successfully exploited either of these vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be applied, block Office Word binary files (.doc and .dot file extensions) and use MOICE when opening .doc files.

 

MS13-087

Vulnerability in Silverlight Could Allow Information Disclosure


Microsoft Rating:

Important

CVE:

CVE-2013-3896

 

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in Silverlight. The patch fixes the way that Silverlight handles in-memory objects. An attacker that successfully exploited this vulnerability would gain the ability to view data from the victim's system.

 

Recommendation:

Deploy patches at the earliest convenience. Until the patch can be installed, block the Silverlight ActiveX control from executing within Internet Explorer, Firefox, or Chrome.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.