Beyondtrust

BeyondTrust Patch Tuesday

September 10, 2013

Microsoft Patch Tuesday

This month, Microsoft released 13 patches that repair a total of 47 vulnerabilities. Of these vulnerabilities, there were 31 remote code execution vulnerabilities, 11 elevation of privilege vulnerabilities, three information disclosure vulnerabilities, and two denial of service vulnerabilities.

Administrators are advised to patch MS13-067, MS13-068, and MS13-069 immediately to prevent exploitation by attackers. Lastly, administrators should patch MS13-070, MS13-071, MS13-072, MS13-073, MS13-074, MS13-075, MS13-076, MS13-077, MS13-078, and MS13-079 as soon as possible.

  • Web Event: Vulnerability Expert Forum (VEF)
  • Presenters: BeyondTrust Research Team
  • Date/Time: Wednesday, September 11, 2013 1pm PT/ 4pm ET

BULLETIN / ADVISORY DETAILS

MS13-067

Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE List:

CVE-2013-0081, CVE-2013-1315, CVE-2013-1330, CVE-2013-3179, CVE-2013-3180, CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3857, and CVE-2013-3858

 

Analysis:

This bulletin addresses one publicly disclosed and nine privately disclosed vulnerabilities, composed of seven remote code execution vulnerabilities, two elevation of privilege vulnerabilities, and a denial of service vulnerability in SharePoint Server. The patch fixes cross-site scripting vulnerabilities, memory corruptions, input validation vulnerabilities, and a denial of service vulnerability. An attacker that successfully exploited the cross-site scripting vulnerabilities would gain the ability to execute arbitrary script code in the context of the currently authenticated user.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers; no mitigation is available for CVE-2013-0081, CVE-2013-3179, and CVE-2013-3180. Until the patch can be installed, CVE-2013-1330 can be mitigated by enabling the viewstate MAC on sites where it is not yet enabled. The remaining six CVEs can be mitigated by not opening untrusted Office/Word files.

 

MS13-068

Vulnerability in Microsoft Outlook Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-3870

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Microsoft Outlook. The patch fixes a failure to properly parse S/MIME messages. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches immediately; no mitigation is available.

 

MS13-069

Cumulative Security Update for Internet Explorer


Microsoft Rating:

Critical

CVE List:

CVE-2013-3201, CVE-2013-3202, CVE-2013-3203, CVE-2013-3204, CVE-2013-3205, CVE-2013-3206, CVE-2013-3207, CVE-2013-3208, CVE-2013-3209, and CVE-2013-3845

 

Analysis:

This bulletin addresses ten privately reported remote code execution vulnerabilities in Internet Explorer. The patch fixes multiple memory corruption vulnerabilities that occur when handling in-memory objects. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Install the patch immediately to prevent exploitation by attackers. Until the patch can be installed, block ActiveX controls and block/disable Active Scripting in both Internet and Local intranet zones.

 

MS13-070

Vulnerability in OLE Could Allow Remote Code Execution


Microsoft Rating:

Critical

CVE:

CVE-2013-3863

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Object Linking and Embedding (OLE). The patch fixes a memory corruption that occurs when handling in-memory objects. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open untrusted Office files.

 

MS13-071

Vulnerability in Windows Theme File Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE:

CVE-2013-0810

 

Analysis:

This bulletin addresses a privately reported remote code execution vulnerability in Windows themes. The patch fixes how Windows handles theme and screensaver files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open Windows themes from untrusted sources.

 

MS13-072

Vulnerabilities in Microsoft Office Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-3160, CVE-2013-3847, CVE-2013-3848, CVE-2013-3849, CVE-2013-3850, CVE-2013-3851, CVE-2013-3852, CVE-2013-3853, CVE-2013-3854, CVE-2013-3855, CVE-2013-3856, CVE-2013-3857, and CVE-2013-3858

 

Analysis:

This bulletin addresses thirteen privately reported vulnerabilities: 12 remote code execution vulnerabilities and an information disclosure in Microsoft Office, in the Word component. The patch fixes how Word handles XML external entities, in addition to fixing multiple memory corruptions. An attacker that successfully exploited the remote code execution vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open Office files from untrusted sources. Additionally, use MOICE to handle .doc files and block .doc and .dot files from being opened through the use of the Microsoft Office File Block policy.

 

MS13-073

Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-1315, CVE-2013-3158, and CVE-2013-3159

 

Analysis:

This bulletin addresses three privately reported remote code execution vulnerabilities in Microsoft Excel. The patch fixes how Excel handles XML external entities, in addition to fixing two memory corruptions. An attacker that successfully exploited the remote code execution vulnerabilities would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open Office files from untrusted sources. Additionally, block .xls, .xla, .xlt, .xlm, .xlw, and .xlb files from being opened through the use of the Microsoft Office File Block policy.

 

MS13-074

Vulnerabilities in Microsoft Access Could Allow Remote Code Execution


Microsoft Rating:

Important

CVE List:

CVE-2013-3155, CVE-2013-3156, and CVE-2013-3157

 

Analysis:

This bulletin addresses three privately reported remote code execution vulnerabilities in Microsoft Access. The patch fixes memory corruption vulnerabilities that occur when parsing certain Access files. An attacker that successfully exploited this vulnerability would gain user level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible. Until the patch can be installed, do not open Office files from untrusted sources.

 

MS13-075

Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE:

CVE-2013-3859

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in Microsoft Office Pinyin Input Method Editor (IME). The patch fixes an attack vector that permits a local attacker to open Internet Explorer with system privileges by launching it from the IME toolbar. This would grant the local attacker the ability to execute arbitrary code within the context of the System account.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-076

Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE List:

CVE-2013-1341, CVE-2013-1342, CVE-2013-1343, CVE-2013-1344, CVE-2013-3864, CVE-2013-3865, and CVE-2013-3866

 

Analysis:

This bulletin addresses seven privately reported elevation of privilege vulnerabilities in Windows kernel-mode drivers. The patch fixes multiple-fetch vulnerabilities, as well as a memory corruption within the kernel. A local attacker that successfully exploited one of these vulnerabilities would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-077

Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege


Microsoft Rating:

Important

CVE:

CVE-2013-3862

 

Analysis:

This bulletin addresses a privately reported elevation of privilege vulnerability in the Windows Service Control Manager. The patch fixes a double free vulnerability that occurs when retrieving a corrupted service description from the Windows registry. A local attacker that successfully exploited this vulnerability would gain kernel level access to the target machine.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-078

Vulnerability in FrontPage Could Allow Information Disclosure


Microsoft Rating:

Important

CVE:

CVE-2013-3137

 

Analysis:

This bulletin addresses a privately reported information disclosure vulnerability in FrontPage. The patch fixes an information disclosure that occurs when parsing the DTD of an XML file. An attacker that successfully exploited this vulnerability would gain the ability to disclose contents of a file on a target system.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

MS13-079

Vulnerability in Active Directory Could Allow Denial of Service


Microsoft Rating:

Important

CVE:

CVE-2013-3868

 

Analysis:

This bulletin addresses a privately reported denial of service vulnerability in Microsoft Active Directory. The patch fixes how the LDAP directory service handles certain LDAP queries. An attacker that successfully exploited this vulnerability would be able to cause the vulnerable system to stop responding.

 

Recommendation:

Deploy patches as soon as possible; no mitigation is available.

 

Feedback

The BeyondTrust staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to communications@beyondtrust.com.

Disclaimer

The information within this advisory may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

Notice

Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of BeyondTrust. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email communications@beyondtrust.com for permission.