February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients

BeyondTrust Research Team, February 12th, 2013

It’s that time again, folks. This month’s Patch Tuesday brings us an assortment of client side vulnerabilities, from vulnerabilities affecting Internet Explorer to Exchange to TCP/IP, and much more. A total of 57 vulnerabilities are addressed across a spread of 12 bulletins, five of which are rated critical.

There are quite a few client side vulnerabilities this month, with Internet Explorer contributing this month with 14 vulnerabilities spread across two bulletins (MS13-009 and MS13-010). It’s just so messed up that it couldn’t be fixed in one bulletin. In all fairness to Microsoft, though, they managed to make it by this month without having to address any Office vulnerabilities. However, the .NET Framework didn’t catch such an easy break, getting pegged with a patch to address an elevation of privilege vulnerability in MS13-015. Include those bugs with an OLE Automation vulnerability being patched in MS13-020, and you’ve got yourself a well-rounded collection of client-sided vulnerabilities that would make any attacker targeting an unpatched system giddy.

Oracle strikes again this month with four vulnerabilities being bestowed upon two Microsoft products: Exchange (MS13-012) and FAST Search Server 2010 for SharePoint (MS13-013), each receiving fixes for two vulnerabilities. This is not the first time we’ve seen Oracle Outside In vulnerabilities affecting Microsoft products. Back in August, Exchange received an update addressing multiple Oracle Outside In vulnerabilities in MS12-058, and in October, FAST Search Server 2010 for SharePoint had its own collection of CVEs addressed in MS12-067. As we predicted in August 2012, more Outside In vulnerabilities have been found that affect Microsoft Exchange. We believe this trend of 3rd party vulnerabilities affecting Microsoft products will continue to be observed in the future.

This month brings along fixes for multiple publicly disclosed vulnerabilities. It should be noted that Microsoft lists vulnerabilities previously fixed in 3rd party products as publicly disclosed (Oracle Outside In within MS13-012 and MS13-013), even though these vulnerabilities have not necessarily been directly disclosed by researchers or observed being exploited in the wild. That being said, there are also publicly disclosed vulnerabilities in DirectShow’s Media Decompression mechanism (MS13-011) and in the Client/Server Run-time Subsystem (MS13-019), addressing a remote code execution vulnerability and an elevation of privilege vulnerability respectively.

The TCP/IP vulnerability addressed this month looks like it could be a pretty nasty one. It is an unauthenticated remote denial of service vulnerability affecting versions of Windows from Vista and onward, with no available workarounds. We’re still investigating how difficult it is to trigger this vulnerability, but it appears to have the potential to be quite a potent vulnerability. In the other corner of the Microsoft server vulnerability match, we’ve got a bug in NFS Server being patched (MS13-014), which could lead to a denial of service condition that could be exploited by authenticated attackers.

Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month.

And that wraps up this month’s patch cycle. Make sure to prioritize patches for Internet Explorer (MS13-009), the .NET Framework (MS13-015), and Microsoft Exchange (MS13-012), and get the rest of the patches rolled out as soon as you can.

Patch Tuesday Assessment
Let us take you through each patch at our monthly Vulnerability Expert Forum. Starting tomorrow, Wednesday, February 13 at 1pm PT. We’ll walk you through the Patch Tuesday releases and cover other news from the past month. Sign up for free today.