September 2013 Patch Tuesday

BeyondTrust Research Team, September 10th, 2013

September’s Patch Tuesday fixes vulnerabilities in SharePoint, Outlook, Word, Excel, Kernel drivers, and more. There are a total of 13 patches, fixing 47 unique CVEs; four bulletins are rated critical and nine bulletins are rated important.

MS13-067 addresses ten vulnerabilities in SharePoint server, including versions 2003, 2007, 2010, and 2013, along with Office Web Apps 2010. The patch addresses multiple elevation of privilege vulnerabilities that could allow an attacker to execute code in the context of another SharePoint user. It also fixes multiple remote code execution vulnerabilities; many deal with memory corruptions having to do with processing Word documents. The patch also addresses a denial of service vulnerability. It should be noted that one of the elevation of privilege vulnerabilities, CVE-2013-3180, has been publicly disclosed, and is therefore going gain more attention by attackers. As the Snowden leaks have showed us, it is important to keep information stored on things like SharePoint as secure as possible. Therefore, make sure to get this patch rolled out as soon as possible.

MS13-068 fixes a critical privately reported vulnerability in Outlook, which could be used to execute arbitrary code in the context of the current user. It affects Outlook 2007 and 2010. Attackers can exploit this by crafting malicious S/MIME messages and sending them to target users. When the user opens the malicious message, the vulnerability will be exploited, causing the user’s system to be compromised and the attacker’s code to run in the context of the current user. Because of this attack vector, it is very important that this patch be rolled out as soon as possible.

MS13-069 addresses ten memory corruption vulnerabilities in Internet Explorer. While every supported version is affected, no single CVE affects every version of Internet Explorer. This is different than recent months where at least one CVE affected every supported version of Internet Explorer. Any of these vulnerabilities can be used in drive-by exploits that would result in the attacker’s code being executed in the context of the current user. This patch should be deployed as soon as possible.

A couple of non-Office client-side pieces of user land software were patched this month. MS13-070 fixes a privately disclosed vulnerability in Object Linking and Embedding (OLE), which is often used to embed multimedia content in documents. Additionally, MS13-071 addresses a vulnerability dealing with themes in Windows. Exploitation of this vulnerability would only be possible if a user applied a malicious theme. In the case of both of these bulletins, successful exploitation of the vulnerabilities would result in remote code being executed on the user’s system in the context of the current user’s account.

A number of Office products were fixed this month, including Word, Excel, and Access. MS13-072 patches 13 vulnerabilities in Office Word, in versions 2003, 2007, and 2010. Office 2013 was not affected by these vulnerabilities. MS13-073 addresses three vulnerabilities in Excel, spanning versions 2003, 2007, 2010, and 2013, as well as Office for Mac 2011. MS13-074 fixes three vulnerabilities in Access, affecting versions 2007, 2010, and 2013. All of these bulletins fix remote code execution vulnerabilities, as well as some other types of vulnerabilities. It should be noted that some of the vulnerabilities addressed in MS13-072 and MS13-073 were also addressed in MS13-067.

A few privilege elevation vulnerabilities, which could lead to system privileges, were fixed this month. MS13-075 addresses an issue with the Office 2010 Pinyin Input Method Editor (IME), which permits an attacker to launch Internet Explorer from the IME toolbar with system-level privileges, rather than the normal user-level privileges. MS13-076 fixes seven vulnerabilities in Windows kernel-mode drivers, affecting every supported version of Windows, with the exception of Windows 8.1, RT 8.1, and Server 2012 R2. MS13-077 patches a vulnerability in the Service Control Manager for Windows 7 and Server 2008 that can be exploited by attackers that modify the system’s registry. All of these bulletins require that an attacker be able to locally execute code on a system, meaning that unauthenticated exploitation is not possible. Attackers would likely combine this exploit with another exploit that targeted user land client-side software, such as one of the Office vulnerabilities patched this month.

Finishing off the patch cycle this month are the last couple of bulletins. MS13-078 fixes an information disclosure vulnerability in Microsoft FrontPage 2003. To exploit this, attackers would convince users to view a malicious FrontPage document, which would disclose local file contents to the attacker. Lastly, MS13-079 addresses a vulnerability in Active Directory, which could allow an attacker to cause a denial of service condition to occur on vulnerable systems by sending a malicious LDAP query. This could be used by attackers to cause a distraction while performing attacks on other systems throughout the network.

Be sure to patch SharePoint (MS13-067), Outlook (MS13-068), and Internet Explorer (MS13-069) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, September 11 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hey September VEF Attendees! Answer the question below and have a chance at winning an iPad Mini! Winner will be selected next week.

“What’s your best strategy (how-to) for managing and patching vulnerabilities in Microsoft products like SharePoint server and Office products?”

>> VEF News Articles

Internet has vuln.
Forget Passwords: Nymi Knows You By Your Heartbeat

IT Admin:
What NSA snoops like about the iPhone

Researchers: Oracle’s Java Security Fails
Researchers outwit Apple, plant malware in the App Store

>> VEF Questions & Comments

Haralambos mentioned that KB2817630 was pulled by Microsoft for an incompatibility with Outlook 2013. If your folder pane is blank in Outlook 2013, uninstall the update. Thanks Haralambos!

Jeffrey asked if Windows Theme files would be a good attack vector for bypassing anti-virus. Our take on this is that unless you have specifically told your AV engine to not scan theme files, the AV scan engine will scan the theme file while when it is downloaded and when it is accessed. If a malicious theme file is found in the wild or submitted to an antivirus company, a signature will be created and whatever AV solutions that have the signature will detect exploit attempts, provided the signature is effective.

Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly