January 2013 Patch Tuesday: Patches, but none for the IE 0day!

BeyondTrust Research Team, January 8th, 2013

Happy New Year! Starting off 2013, we’ve got a critical vulnerability within the Windows Print Spooler, and we’re still seeing bugs surface in widely used software like MSXML, the .NET framework, and SSL/TLS. January’s Patch Tuesday greets us with seven patches, addressing 12 vulnerabilities across a spectrum of Microsoft software. Two of these bulletins are rated critical, while the rest are rated important.

The first of the critical bulletins, MS13-001, addresses a critical remote code execution vulnerability in the Windows Print Spooler, which manages printing tasks that are sent to the system. According to preliminary details it appears an attacker would need to queue a specially crafted print job to a shared printer, once that print job was queued then an attacker would potentially be able to compromise systems that enumerate the shared printer queue. The catch, according to Microsoft, is that by default Windows itself does not enumerate shared printer queues in a vulnerable way but third-party printer management software does in some cases. In Microsoft’s bulletin, they say the only mitigating factor is firewalling or disabling the printer service. However, given the extra requirements, it seems harder to exploit than the bulletin would let on. This would normally be considered a wormable vulnerability; however, the default Windows drivers do provide access to the vulnerable functionality, so it would require 3rd party software, such as manufacturers’ drivers, to open the attack vector for this vulnerability. Even though it is not wormable, it is still a critical vulnerability, so if you’re managing Windows 7 or Server 2008 R2 systems (including server core), make sure to get this patch rolled out as soon as possible.

Next, MS13-002 patches some holes in MSXML 3.0, 4.0, 5.0, and 6.0. MSXML is a core processing utility that can be used to process XML data and is included with all versions of Windows, in addition to being bundled with other software, such as Microsoft Office 2003 & 2007, SharePoint Server 2007, Groove Server 2007, and Expression Web. The two vulnerabilities patched in this bulletin can be used by attackers to execute code when certain XML data is processed by an application utilizing MSXML services. Because this affects so many different pieces of software, including all supported versions of Windows, this is another patch that is incredibly important to get deployed as soon as possible.

A good Patch Tuesday isn’t complete without a little .NET action, so Microsoft has provided just that with MS13-004. This bulletin patches vulnerabilities affecting every supported version of .NET, with the exception of .NET 3.5 SP1. Three of the four vulnerabilities addressed in this bulletin allow attackers to raise their privileges to being able to execute code on the vulnerable system just as if the attacker were a legitimate user on that machine.

Other bulletins of note include MS13-005, which addresses an issue with how the Windows kernel handles window broadcast messages. While this does not grant direct code execution, it may be useful as the first step of a multi-stage attack that attackers would use to increase their privileges to kernel level. The other bulletin of note, MS13-006, addresses a security feature bypass affecting SSL/TLS in Windows. This could be used by attackers to perform man-in-the-middle attacks and lower the SSL version to a level that supports cyphers that could be cracked.

Lastly for this month’s patches, MS13-003 addresses a couple of cross-site scripting vulnerabilities within the System Center Operations Manager, and MS13-007 addresses a vulnerability in the Windows implementation of the Open Data Protocol, which could be used to cause a denial of service condition to IIS by resource exhaustion.

This month marks the inclusion of six new vulnerabilities in Windows RT, addressed in MS13-002, MS13-004, MS13-005, and MS13-006. This is the third month since Windows RT started receiving updates and it has received security updates for each month during that time. This month’s Patch Tuesday comes just two days after a security researcher revealed how to run unsigned code on Windows RT.

If you’ve been following the security news recently, you’ll no doubt have heard of the recently disclosed Internet Explorer zero day, CVE-2012-4792, that made its rounds this last month. Well, you’ll also note that this month does not include a fix for that vulnerability. While a Fix it does exist, no full patch has been released by Microsoft. Additionally, some researchers have claimed to bypass the Fix it. Because no patch currently exists, attackers will be having a heyday, since publicly available exploits exist to target this vulnerability. It only affects Internet Explorer versions 6 through 8, so if you are able to do so, upgrade to Internet Explorer 9 or 10 or use an alternate browser such as Chrome.

So be sure to get those first two patches, MS13-001 and MS13-002, rolled out as soon as you can, as they are the most critical among this month’s collection. We hope you have a great start to your new year.


VEF ATTENDEES: If you joined our January VEF and have an answer to our giveaway question, then you’re in the right spot! Post your answer in the comments below! Most compelling answer wins a Kindle Fire!