December 2013 Patch Tuesday

BeyondTrust Research Team, December 10th, 2013

December’s Patch Tuesday finishes up the year with patches for Internet Explorer, Office, SharePoint, Windows, and more. There are a total of 11 bulletins addressing 24 unique vulnerabilities; five bulletins are rated as critical and the other six are rated as important.

The zero-day vulnerability released just before last month’s Patch Tuesday is finally receiving a fix in MS13-096. CVE-2013-3906 affects Windows Vista, Server 2008, Office 2003/2007/2010, and Lync 2010/2013. This was originally disclosed in an advisory in November, along with an accompanying Fix It solution. This vulnerability has been exploited successfully in targeted attacks and exploits for it exist within publicly available exploit frameworks. Patch this vulnerability as soon as you can.

It is worth noting that the second zero-day vulnerability disclosed in November, CVE-2013-5065, is not receiving a patch this month. This elevation of privilege vulnerability affects both Windows XP and Server 2003. A workaround is available, but it breaks functionality such as VPN networking. A fix is forthcoming, but with no date publicly announced.

MS13-097 addresses multiple vulnerabilities within Internet Explorer and MS13-099 addresses a privately reported vulnerability in the Windows Scripting runtime (distributed with every version of Windows). These were all privately reported; none were seen exploited in the wild. Vulnerabilities addressed in both bulletins could be exploited in drive-by attacks where an attacker lures a victim to a page and is able to exploit their system to allow the attacker’s code to run in the context of the current user. Of note is CVE-2013-5048 in MS13-097, which attackers will find interesting since it affects every supported version of Internet Explorer. Roll this patch out as soon as possible.

Next is MS13-098, which addresses a privately reported vulnerability in every supported version of Windows. The vulnerability lies within the WinVerifyTrust signature validation mechanism in Windows. Attackers could use this vulnerability to make changes to a signed program without invalidating the program’s signature. This would be useful in social engineering situations where attackers would need to convince a user that a signed executable is legitimate and has been guaranteed to be safe by a trustworthy source. The executable would be signed by a trustworthy source, but it would execute the attacker’s code, while keeping the file’s signature intact. Exploits targeting this vulnerability have been seen in the wild, so deploy this patch as soon as possible.

MS13-100 brings a fix for SharePoint 2010 and 2013. The patch addresses a remote code execution vulnerability, which is not normally seen in SharePoint. Typically, SharePoint has vulnerabilities like cross-site scripting that typically grant information disclosure, so this will peak the interest of attackers more than usual. The attack vector remains the same: send malicious page content to the server. When this content is processed, the attacker’s code would be executed within the same context as the W3WP service account.

Some elevation of privilege vulnerabilities in Windows are patched this month with MS13-101 (Windows kernel) and MS13-102 (Windows Local Procedure Call). Vulnerabilities addressed in both bulletins permit elevation of the attacker’s code into higher security contexts. This would be useful for attackers wishing to hide their presence on a system. MS13-101 also fixes a couple denial of service vulnerabilities caused by font parsing and integer overflow vulnerabilities. All of these vulnerabilities, except for the TrueType font parsing vulnerability, require that an attacker be locally on an affected system to successfully exploit it. The TrueType vulnerability can be exploited via drive-by attacks, but it only renders a denial of service condition, rather than code execution.

ASP.NET SignalR received a patch this month in MS13-103 that closed up an information disclosure vulnerability. This also affects Visual Studio Team Foundation Server 2013. The cross-site scripting vulnerability would permit an attacker to craft maliciously encoded input that, when opened by a user, would grant the attacker the ability to access resources normally only available the targeted user. Attackers would use this in targeted scenarios to gain perform actions on behalf of a user by socially engineering a user to open the malicious link.

Microsoft Office received two updates this month with MS13-104 addressing a privately reported token hijacking vulnerability and MS13-106 addressing a publicly disclosed ASLR bypass. The token hijacking vulnerability requires that a user view an Office document on a malicious website. This would permit an attacker to impersonate the user by stealing their access token and use it to authenticate against a separate targeted site, such as a SharePoint site. This would allow the attacker to perform actions on that SharePoint site on behalf of the user. The ASLR bypass would be used by attackers in combination with a separate vulnerability in order to craft a complete working exploit. Both of these vulnerabilities have been successfully exploited in the wild.

Finally, MS13-105 addresses four separate vulnerabilities in Microsoft Exchange. Two Oracle Outside In vulnerabilities were patched. These were previously addressed by Oracle in their own products, which is why they are marked as publicly disclosed. The MAC disabled vulnerability, CVE-2013-1330, was previously addressed in MS13-067 earlier this year, but in SharePoint. Therefore, because the vulnerability re-manifested in Exchange, it is marked as publicly disclosed. All of those vulnerabilities permit remote code execution if successfully exploited, but the MAC disabled vulnerability would permit it in the context of the Outlook Web Access service account. The final vulnerability addressed is a cross site scripting vulnerability in the Outlook Web Access interface. Patch this vulnerability as soon as possible.

Be sure to patch the GDI+ 0day (MS13-096), Internet Explorer (MS13-097), Windows (MS13-098), the Microsoft Scripting Runtime (MS13-099), and Exchange Server (MS13-105) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, December 11 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Air!

What is your 2014 security strategy/game plan? What are you planning to roll-out and focus on in 2014 and why?

Most insightful and/or awesome answer wins!

>> VEF News Articles

Microsoft Condemns US Government As An “Advanced Persistent Threat“
GCHQ Used Fake LinkedIn Pages to Target Engineers
NSA ‘infected’ 50,000 networks with malware

IT Admin:
BGP Hacking
Millions of Android users ‘deceived’ by flashlight app that shares location with advertisers

W8.1 KASLR Bypass
Prezi Bug Bounty Fail