April 2013 Patch Tuesday
Patch Tuesday is here again, and April’s collection of patches will fix vulnerabilities across various pieces of Microsoft operating systems and software. This includes Internet Explorer, the Remote Desktop Client, SharePoint, the Windows kernel (and some kernel-mode drivers), Active Directory, the Windows Client/Server Run-time Subsystem (CSRSS), Microsoft Antimalware Client, and an HTML sanitization component in various products like Office and Microsoft server software. In total, there are nine bulletins (2 critical and 7 important), which fix 14 vulnerabilities.
While Internet Explorer did get patched this month (MS13-028), it did not receive a fix for the recently disclosed zero-day. Instead, the patch addresses two use after free vulnerabilities that both affect every supported version of Internet Explorer (versions 6 through 10). Attackers will be looking into how to exploit these two vulnerabilities, since attackers can target multiple versions of Internet Explorer through the use of only a couple vulnerabilities, so it is important to deploy this patch as soon as possible.
In addition to the Internet Explorer patch, there is a fix provided for a vulnerability within the Microsoft Remote Desktop client (MS13-029). This patch fixes a use after free vulnerability that exists within the Remote Desktop client ActiveX control, mstscax.dll. Attackers can exploit this vulnerability by luring victims to attacker-controlled websites hosting malicious ActiveX controls. When viewed, the vulnerability would be exploited, granting attackers the ability to execute arbitrary code in the context of the user. Therefore, it is very important to get this patch rolled out as soon as possible.
Three patches this month focus on patching server software. MS13-030 fixes an information disclosure vulnerability affecting only the latest version of SharePoint Server, 2013. Attackers that exploit this vulnerability will be able to access SharePoint list items that would normally not be accessible to them. This vulnerability has been publicly disclosed, but it has not been seen exploited in the wild at the time of patch release. MS13-032 addresses a denial of service vulnerability in Active Directory, which affects every supported version of Windows, with the exception of Itanium-based Server 2008/2008 R2 installations and Windows RT. Attackers could send a malicious LDAP query that would exploit this vulnerability, exhausting the system’s memory, causing a denial of service. MS13-035 fixes an issue within the HTML Sanitization component found in various software packages like Microsoft InfoPath, SharePoint Server, Groove Server, SharePoint Foundation, and Office Web Apps. An attacker that successfully exploited this vulnerability would be able to execute scripts in a context that is not normally permitted, allowing the attacker to read restricted data or perform unauthorized actions on behalf of logged on users that opened links sent by the attacker. While this vulnerability was not publicly disclosed, it has been reportedly used in the wild in targeted attacks.
Four patches in this month’s collection address elevation of privilege vulnerabilities in various pieces of software. MS13-034 addresses an issue within Microsoft Antimalware Client, which grants an elevation of privilege to LocalSystem for locally authenticated attackers exploiting the vulnerability. It’s noteworthy that MS13-034 addresses an issue that only exists within Windows Defender for Windows 8 and Windows RT, while Windows Defender for all other versions of Windows is unaffected. MS13-031 fixes two race condition vulnerabilities, affecting every supported version of Windows, which could be exploited by locally authenticated attackers to read arbitrary amounts of memory in the kernel. MS13-033 provides a fix for a memory corruption vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS), affecting Windows XP, Server 2003, Vista, and Server 2008. For most systems, exploitation of this vulnerability would lead to a denial of service condition until the system is restarted, but for XP 64-bit and Server 2003, attackers could leverage the vulnerability to elevate their privileges to LocalSystem. This bug is less likely to see interest from attackers in the near future. Lastly, MS13-036 fixes four vulnerabilities in a kernel-mode driver; one vulnerability, CVE-2013-1293, has been publicly disclosed. One vulnerability within this bulletin, CVE-2013-1283, affects every supported version of Windows. With any of these privilege elevation vulnerabilities fixed in these bulletins, they become particularly potent when combined with a browser-based exploit, such as one targeting MS13-028 or MS13-029. With such an exploit combination, attackers can go from no code execution on a system to complete system compromise with just two exploits, so it is important to get these patches rolled out.
So be sure to get MS13-028 and MS13-029 patched as soon as possible, followed by the rest of the patches right after that. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, April 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.
Update 4-11-13: Microsoft has released a support article stating that after installing MS13-036 on Windows 7 systems, some users are unable to recover from restarts and some applications will not load. It is recommended that users uninstall KB2823324 from MS13-036 until further notice.