March 2013 Patch Tuesday: Cleaning House

BeyondTrust Research Team, March 12th, 2013

Patch Tuesday is upon us and this month, Microsoft is doing a little spring cleaning of vulnerabilities, fixing a well-rounded collection of client-side vulnerabilities, along with a few server-side vulnerabilities for good measure. This month, the affected software includes Internet Explorer, Silverlight, Visio Viewer, SharePoint, OneNote, Outlook for Mac, and a Windows kernel-mode driver. In total, there are 20 vulnerabilities addressed by seven bulletins, four of which are rated critical.

Boldly leading the charge of bulletins is Internet Explorer in MS13-021, with a whopping nine vulnerabilities, all of which are use after free vulnerabilities. This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers. Of the nine CVEs addressed, seven of them affect every supported version of Internet Explorer, so attackers have many choices when selecting a vulnerability to exploit in the near future. It should be noted that one of the nine vulnerabilities was publicly disclosed, but it only affects Internet Explorer 8. Additionally, it does not appear that the Internet Explorer 10 vulnerabilities exploited by VUPEN at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month.

There are a couple other critical client-side vulnerabilities this month, composed of remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight bug could be exploited by attackers via a drive-by web page hosting a malicious Silverlight application, where the attacker would convince users to view the malicious web page through some form of social engineering, such as phishing attacks or watering hole attacks. The Visio Viewer vulnerability would similarly be exploited by convincing users to open seemingly legitimate email attachments, which has proven to be an effective tactic for attackers.

Additionally, Microsoft is patching a few vulnerabilities within SharePoint Server and SharePoint Foundation, addressed within MS13-024. These include three elevation of privilege vulnerabilities and a denial of service vulnerability. The elevation of privilege vulnerabilities could allow an attacker to execute actions as if they were a user logged onto the SharePoint site. The denial of service vulnerability would cause the entire SharePoint site to crash, requiring a manual restart. Needless to say, this bulletin patches some very disruptive vulnerabilities.

Finishing up the application vulnerabilities for this month are patches for OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026). Both of these bulletins address information disclosure vulnerabilities. The OneNote vulnerability allows an attacker to disclose information not normally available to the attacker, such as usernames and passwords. The Office for Mac vulnerability specifically affects the Outlook for Mac component, allowing attackers to load remote content when an HTML email message is viewed by users. This could be used by attackers to load a secondary exploit targeting a secondary vulnerability to compromise the victim’s system.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers. These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine. That means this is not the normal type of second-stage vulnerability that would be exploited to gain a deeper foothold on a system. Instead, this will only be exploited in very limited and targeted attacks.

And that wraps up this month’s Patch Tuesday overview. So make sure to get the critical patches (MS13-021, MS13-022, MS13-023, and MS13-024) rolled out as soon as possible, followed by the rest of the patches. Also, be sure not to miss the Vulnerability Expert Forum tomorrow, Wednesday, March 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.