NEW: Microsoft Vulnerabilities Report 2022 - Read the Findings of Our Annual Report Read Now

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

November 2013 Patch Tuesday

November 12, 2013

  • Blog
  • Archive
November's Patch Tuesday cycle brings us fixes for a variety of software including Internet Explorer, the Graphics Device Interface (GDI), Office, Hyper-V, Outlook, and others. There are a total of 8 patches, fixing 19 unique vulnerabilities; three bulletins are rated as critical and the other five are rated as important. If you've been following the news at all these past couple weeks, you will have noticed that not one, but TWO zero-day vulnerabilities have been seen exploited in the wild that target Internet Explorer. The first zero-day, CVE-2013-3906, was announced by Microsoft in an advisory and in a blog post stating that it was seen being used against targets in the Middle East and South Asia. While the most recent versions of Windows and Office are unaffected, Vista, Server 2008, and Office 2003 through 2010 are affected, so it is very important to get the Fix it rolled out as soon as possible to help protect vulnerable systems. No official patch from Microsoft has been released at this point. The second zero-day recently seen is being patched today. MS13-090 provides a fix for this vulnerability by setting killbits for the InformationCardSigninHelper ActiveX control. This was originally reported by FireEye. This vulnerability permits remote code execution on a victim's system via browse-and-get-owned scenarios. This mimics the attack vector present for vulnerabilities addressed in Internet Explorer this month. While server core versions of Windows Server 2008 and 2012 escaped being affected by this vulnerability, all other supported versions of Windows are affected. Because this has seen active attacks in the wild, it is extremely important to roll this patch out as soon as possible. Following the topic of Internet Explorer, MS13-088 addresses 10 vulnerabilities in Microsoft's browser, fixing versions 6 through 11. Among the vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution--two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer. These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims' machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible. The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1. To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible. Next in the bulletin line-up is MS13-091, addressing three vulnerabilities in Microsoft Office, specifically in Word. Versions affected include Office 2003, 2007, 2010, and 2013. All three vulnerabilities were privately reported with no known exploitation taking place in the wild. One of the vulnerabilities, CVE-2013-1324, affects every supported version of Microsoft Office, so attackers will focus on that one in particular. Because these are all remote code execution vulnerabilities, successful exploitation will result in an attacker's code being able to run on a victim's machine within the context of the current user. Another Office-related vulnerability is being fixed this month in MS13-094. This bulletin fixes an information disclosure vulnerability affecting Outlook 2007, 2010, and 2013. While it has not been observed exploiting users in the wild, it has been publicly disclosed. The vulnerability itself manifests when S/MIME certificate metadata is expanded. Attackers could use this vulnerability to obtain the IP address of the victim, as well as open TCP ports, which is useful when performing reconnaissance against a network in preparation for an attack. The more information an attacker can gain about a target, the higher of a chance the attack will succeed. MS13-092 brings a fix for Hyper-V, addressing an elevation of privilege vulnerability. This affects Windows 8 and Server 2012 (8.1 and Server 2012 R2 are unaffected). To exploit this vulnerability, an attacker would need to gain access to a guest virtual machine within a Hyper-V host. From there, they would need to execute a malicious program, which would either 1) crash the host system, thereby denying service to any users or systems utilizing any guests on the host or 2) execute code on another guest running on the affected host machine. The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts. Lastly, the remaining two bulletins this month fix an information disclosure (MS13-093) and a denial of service (MS13-095). MS13-093 addresses a memory disclosure vulnerability in the Windows ancillary function driver, which could be used in conjunction with a secondary exploit to elevate privileges on a system to kernel level. MS13-095 permits an attacker to crash an affected web service when parsing a malicious X.509 certificate. This could be utilized by attackers to cause a distraction, while they attack other systems on the network. Be sure to patch the ActiveX 0day (MS13-090), Internet Explorer (MS13-088), and GDI (MS13-089) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, November 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here. >> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7! In light of our upcoming BeyondSaaS launch, we want to know, do you currently conduct vulnerability assessment scans from the cloud? And if so, how? How often are you doing external scans? Most awesome answer wins! >> VEF News Articles Mentioned: BlackBerry Link Remote Code Execution Vulnerability CxO: Google Encrypts Internal Network Cyberattack On Haifa Road Network Work Of Unknown, Sophisticated Hackers IT Admin: Project Shield Digital Attack Map Researcher: Hidden chips 'launch spam attacks from irons‘ DARPA slaps $2m on the bar for the ULTIMATE security bug SLAYER >> VEF Questions & Comments Edward had asked us for our thoughts regarding using Tor as an enterprise browser standard. DJ's thoughts were primarily centered on reliability, or lack thereof. Tor is slow and cannot absolutely guarantee anonymity. But, Carter brought a much more relevant and interesting point to light which is that once you're on the Tor network, your data is in the hands of third parties. If you're transporting sensitive content, like medical records or intellectual property, you may run into significant legal repercussions. Chris had mentioned a certain three-letter agency mucking about with encryption popular algorithms... we're just going to leave this advisory here. Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Microsoft Vulnerabilities Report 2022

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.