This isn't a straight news report on Patch Tuesday. We took care of that yesterday. This is a day-after analysis, featuring the raw commentary a few vulnerability management experts kindly sent to my inbox.
[Main story: "Microsoft monthly patches touch Exchange, Windows, Explorer"]
Paul Henry, security and forensic analyst, Lumension:
It’s going to be a rough Valentine’s Day for many IT admins this month. With ongoing issues with Java and 12 bulletins from Microsoft, including 5 critical issues and many restarts, it’s going to be a very disruptive Patch Tuesday. It’s disturbing to note how many different Microsoft platforms are critically affected this month. Everything from Windows XP to the new Windows RT is critically impacted. It’s never a good sign when your current code base is impacted. There are also many more bulletins this month than we’ve seen in the last few months. We noted in December that 2012 brought more consistency and stability to Patch Tuesday than we saw in 2011. We hope that this month is a one-time spike and not a return to the yo-yo pattern of 2011.
MS13-010 is a vector markup language remote code execution vulnerability, though it seems like an Internet Explorer bulletin at first glance. Vector markup language is always parsed by the browser, which is why it affects all versions of IE. Unfortunately, this also means there is no real way to reduce or mitigate the risk of this vulnerability, which consequently, makes it your highest priority patch for the month.
MS13-009 is a critical remote code execution issue and it addresses 13 CVEs. This is one of the larger numbers of IE CVEs that Microsoft has addressed in a single bulletin, although it’s by no means the biggest. While it looks tedious at first glance, it’s actually a fairly typical IE issue. In the spring, we tend to see higher IE patches as Microsoft cleans up the browser. Fortunately, none of these CVEs are under active attack.
MS13-020 is an update in OLEA (object linking and embedded automation). The impact of this bulletin is limited, only affecting XP Service Pack 3. However, this should be a very high priority for XP users because it is a remote code execution issue. Risk is mitigated slightly because authentication is required for execution. The primary vector for attack through this vulnerability would be parsing RTF files in email through OLEA.
MS13-011 is a media decompression vulnerability that could allow for a remote code execution. Fortunately, this one doesn’t affect any of the newer platforms. It’s a standard media player Direct Show vulnerability. Worst case scenario would be an end user browsing to a website with a codec that leverages the content the website is playing and it uses Direct Show to render the content.
MS13-012 is an Outside-In update for Exchange. There are essentially two of these updates this month: one for SharePoint, discussed later and this one for Exchange. This is a critical remote code execution issue and should be a high priority.
MS13-015 is an elevation of privilege vulnerability in .NET. We’ve seen previous updates to .NET in which a lot was changed but this one doesn’t change much. This bulletin is critical, but is fortunately not under active attack.
MS13-016 is a vulnerability in the kernel mode drivers. It’s significant because it addresses 30 CVEs but, before you panic, realize that it isn’t as bad as it looks. All the vulnerabilities addressed here are within a single component. However, different functions within that same component all have the same vulnerability. Microsoft could have chosen to mark this as a single CVE, but chose to present each individual change as a different CVE. This does affect all versions of Windows from XP to Windows 8.
MS13-013 is an important update adjusting a remote code execution issue in Fast Search for SharePoint 2010. Microsoft has issued Fast Search updates in the past, and this one is more limited than previous. It only affects the advanced filter pack. This is the Outside-In issue referenced above.
MS13-014 fixes a vulnerability in Microsoft Server that would allow denial of service. This issue affects the handling of file operations, such as file share. The network file system (NFS) role is not enabled by default, so the update is only offered to server systems that only have an NFS role enabled.
MS13-017 is a regular kernel update for an elevation of privilege issue with 3 CVEs. It affects all versions of Windows and is pretty similar to normal kernel updates.
MS13-018 fixes a TCP vulnerability that could allow denial of service. It affects Vista through Server 2012. This is reminiscent of the half open connection SYN flood attacks we have had to deal with historically. Rather than using the SYN packet, now a FIN packet is used but the FIN handshake for connection tear down is not completed. Like the SYN flood, a FINWAIT attack could consume resources and cause a denial of service.
MS13-019 is an elevation of privilege vulnerability in CSRSS, which is Windows Client/Server Runtime Subsystem. This is a single CVE affecting a limited number of Windows platforms. It has to do with how CSRSS handles objects and memory. Last week, Microsoft also issued an advisory and patch for Flash, as did Adobe, for a vulnerability that was being exploited in the wild. For Microsoft users, this is Flash on Windows 8. However, it’s all Flash products from Adobe. We’d recommend you install these Flash patches as soon as possible, since this is under active attack.
Marc Maiffret, CTO at BeyondTrust:
•There are quite a few client side vulnerabilities this month, with Internet Explorer contributing this month with 14 vulnerabilities spread across two bulletins (MS13-009 and MS13-010). It’s just so messed up that it couldn’t be fixed in one bulletin. In all fairness to Microsoft, though, they managed to make it by this month without having to address any Office vulnerabilities. However, the .NET Framework didn’t catch such an easy break, getting pegged with a patch to address an elevation of privilege vulnerability in MS13-015. Include those bugs with an OLE Automation vulnerability being patched in MS13-020, and you’ve got yourself a well-rounded collection of client-sided vulnerabilities that would make any attacker targeting an unpatched system giddy.
• Oracle strikes again this month with four vulnerabilities being bestowed upon two Microsoft products: Exchange (MS13-012) and FAST Search Server 2010 for SharePoint (MS13-013), each receiving fixes for two vulnerabilities. This is not the first time we’ve seen Oracle Outside In vulnerabilities affecting Microsoft products. Back in August, Exchange received an update addressing multiple Oracle Outside In vulnerabilities in MS12-058, and in October, FAST Search Server 2010 for SharePoint had its own collection of CVEs addressed in MS12-067. As we predicted in August 2012, more Outside In vulnerabilities have been found that affect Microsoft Exchange. We believe this trend of 3rd party vulnerabilities affecting Microsoft products will continue to be observed in the future.
• This month brings along fixes for multiple publicly disclosed vulnerabilities. It should be noted that Microsoft lists vulnerabilities previously fixed in 3rd party products as publicly disclosed (Oracle Outside In within MS13-012 andMS13-013), even though these vulnerabilities have not necessarily been directly disclosed by researchers or observed being exploited in the wild. That being said, there are also publicly disclosed vulnerabilities in DirectShow’s Media Decompression mechanism (MS13-011) and in the Client/Server Run-time Subsystem (MS13-019), addressing a remote code execution vulnerability and an elevation of privilege vulnerability respectively.
• The TCP/IP vulnerability addressed this month looks like it could be a pretty nasty one. It is an unauthenticated remote denial of service vulnerability affecting versions of Windows from Vista and onward, with no available workarounds. We’re still investigating how difficult it is to trigger this vulnerability, but it appears to have the potential to be quite a potent vulnerability. In the other corner of the Microsoft server vulnerability match, we’ve got a bug in NFS Server being patched (MS13-014), which could lead to a denial of service condition that could be exploited by authenticated attackers.
• Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month.
• And that wraps up this month’s patch cycle. Make sure to prioritize patches for Internet Explorer (MS13-009), the .NET Framework (MS13-015), and Microsoft Exchange (MS13-012), and get the rest of the patches rolled out as soon as you can.
Wolfgang Kandek, CTO of Qualys:
The second Patch Tuesday of 2013 has a much higher volume than usual. There are 12 bulletins, five of which are critical, addressing a total of 57 vulnerabilities. But the majority are concentrated in two bulletins, one covering Internet Explorer (IE), the other one the Windows Kernel driver win32k.sys. The two bulletins affecting IE are the highest priority.
One of them, MS13-009, is referred to as the "core" IE update by Microsoft because it addresses a number of vulnerabilities in IE. It covers 13 bugs with all but one of them being Remote Code Execution vulnerabilities that can be used by an attacker to gain control over a user's machine via drive-by-download. That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer's computer when he or she visits a page with malicious code on it.
The second bulletin also for Internet Explorer, MS13-010, addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL). It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild. The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible.
Speaking of patching quickly: after last week's Flash release from Adobe to address two 0-day vulnerabilities, today they released again a new version (APSB13-05) of its Flash plug-in, this time addressing 17 vulnerabilities. Users of IE 10 and Google Chrome will get updated automatically, because these two browsers integrate Adobe Flash in their sandboxes. By the way, Qualys' free MS13-012. It addresses vulnerabilities in the popular Outlook Web Access (OWA) component of Microsoft Exchange caused by the inclusion of the Oracle Outside-In libraries in Exchange. Attackers could exploit this vulnerability by sending a malicious document to a user. If the user opens it through OWA, the act of rendering the document infects the mail server as it uses the vulnerable libraries. It is not the first time that the Oracle libraries have caused this problem in Exchange, and attackers might be quick in exploring this vulnerability. As a result, we recommend to schedule a patch as quickly as possible.
Here are a couple of other updates of note:
• MS13-020 is a critical bulletin that affects only installations of Windows XP, which is on its way to becoming obsolete. If you are still running XP, you should make this patch a high priority and start planning for its replacement as its end-of-life is set for April 2014.
• MS13-011 is the last critical bulletin and fixes an issue in Windows that can only be exploited when a certain codec popular in Asian countries is installed.
• MS13-016 is where the bulk of this month vulnerabilities reside. Security researcher j00ru from Google reported 30 new vulnerabilities in a Microsoft kernel driver, all of which can be used to gain system privileges on a machine that the attacker already has some control over. BTW, j00ru is also on the team that is credited with 15 vulnerabilities found in Adobe Flash.