• United States



Microsoft’s Patch Tuesday Load for April 2013

Apr 09, 20139 mins
Application SecurityNetwork Security

Microsoft releases nine security updates -- two for critical flaws in Internet Explorer and Remote Desktop Client.

Microsoft released nine security updates this afternoon. Two are for critical vulnerabilities in Internet Explorer and Remote Desktop Client. The rest, rated important, target security holes in Windows Defender and Active Directory, among other things.

Every month I like to share the analysis I get from various vulnerability management specialists. Here’s what I’ve received so far today:

BeyondTrust CTO Marc Maiffret:

  • While Internet Explorer did get patched this month (MS13-028), it did not receive a fix for the recently disclosed zero-day. Instead, the patch addresses two use after free vulnerabilities that both affect every supported version of Internet Explorer (versions 6 through 10). Attackers will be looking into how to exploit these two vulnerabilities, since attackers can target multiple versions of Internet Explorer through the use of only a couple vulnerabilities, so it is important to deploy this patch as soon as possible.
  • In addition to the Internet Explorer patch, there is a fix provided for a vulnerability within the Microsoft Remote Desktop client (MS13-029). This patch fixes a use after free vulnerability that exists within the Remote Desktop client ActiveX control, mstscax.dll. Attackers can exploit this vulnerability by luring victims to attacker-controlled websites hosting malicious ActiveX controls. When viewed, the vulnerability would be exploited, granting attackers the ability to execute arbitrary code in the context of the user. Therefore, it is very important to get this patch rolled out as soon as possible.
  • Three patches this month focus on patching server software. MS13-030 fixes an information disclosure vulnerability affecting only the latest version of SharePoint Server, 2013. Attackers that exploit this vulnerability will be able to access SharePoint list items that would normally not be accessible to them. This vulnerability has been publicly disclosed, but it has not been seen exploited in the wild at the time of patch release. MS13-032 addresses a denial of service vulnerability in Active Directory, which affects every supported version of Windows, with the exception of Itanium-based Server 2008/2008 R2 installations and Windows RT. Attackers could send a malicious LDAP query that would exploit this vulnerability, exhausting the system’s memory, causing a denial of service. MS13-035 fixes an issue within the HTML Sanitization component found in various software packages like Microsoft InfoPath, SharePoint Server, Groove Server, SharePoint Foundation, and Office Web Apps. An attacker that successfully exploited this vulnerability would be able to execute scripts in a context that is not normally permitted, allowing the attacker to read restricted data or perform unauthorized actions on behalf of logged on users that opened links sent by the attacker. While this vulnerability was not publicly disclosed, it has been reportedly used in the wild in targeted attacks.
  • Four patches in this month’s collection address elevation of privilege vulnerabilities in various pieces of software. MS13-034 addresses an issue within Microsoft Antimalware Client, which grants an elevation of privilege to LocalSystem for locally authenticated attackers exploiting the vulnerability. It’s noteworthy that MS13-034 addresses an issue that only exists within Windows Defender for Windows 8 and Windows RT, while Windows Defender for all other versions of Windows is unaffected. MS13-031 fixes two race condition vulnerabilities, affecting every supported version of Windows, which could be exploited by locally authenticated attackers to read arbitrary amounts of memory in the kernel. MS13-033 provides a fix for a memory corruption vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS), affecting Windows XP, Server 2003, Vista, and Server 2008. For most systems, exploitation of this vulnerability would lead to a denial of service condition until the system is restarted, but for XP 64-bit and Server 2003, attackers could leverage the vulnerability to elevate their privileges to LocalSystem. This bug is less likely to see interest from attackers in the near future.
  • Lastly, MS13-036 fixes four vulnerabilities in a kernel-mode driver; one vulnerability, CVE-2013-1293, has been publicly disclosed. One vulnerability within this bulletin, CVE-2013-1283, affects every supported version of Windows. With any of these privilege elevation vulnerabilities fixed in these bulletins, they become particularly potent when combined with a browser-based exploit, such as one targeting MS13-028 or MS13-029. With such an exploit combination, attackers can go from no code execution on a system to complete system compromise with just two exploits, so it is important to get these patches rolled out.

Qualys CTO Wolfgang Kandek:

The most important bulletin is MS13-028, which contains a new release of IE that covers all versions of the browser and includes Windows RT, the operating system for mobile devices and tablets. This month marks the last year of support for the Windows XP operating system. In internal tracking, Qualys has noted that a large number — 27 percent of all machines — still use XP, even though the number has dropped from last year’s 57 percent. Organizations at this point should have a plan to migrate away from Windows XP and replace it with a more modern operating system, or even substitute certain machines with tablets, which are overall much easier to keep updated and thus, more secure.

Paul Henry, security and forensic analyst for Lumension:

For the April patches, your first priority is MS13-028, which is a use-after-free issue in all versions of IE. This is one of the few bulletins this month that has a critical impact on the current code, hitting Windows 8, Windows RT and Windows 7 with a critical remote code execution issue. It’s a pretty run-of-the-mill bug for the most part. However, there is a defense in depth issue here that was not assigned a CVE because it’s dependent on the user having Java 6.0 or older installed. Given the number of issues Java’s had lately, hopefully no one is still running old versions of Java. If you haven’t updated the software to 7.0 or newer, please do so immediately. Java 7.0 has an automatic update feature that will help keep machines secure with minimal effort from users as we wait for HTML5 to be ready for broad use.  We recommend that this bulletin be your first patch and you should update Internet Explorer while you’re at it.

MS13-029 (RDP) will be your next priority. It affects RDP, but is not the type of issue we typically see in Windows RDP. This is a problem with the Windows RDP Active X Control, so it can only be launched through a browser running Active X control. However, it affects all versions of the RDP client. One of the important things here is the server skews are rated moderate, but client skews are ranked critical. The Active X Control can be disabled for those who don’t use it, which is a good way to help mitigate the risk of this vulnerability.

MS13-030 is an information disclosure issue in SharePoint. This is an information disclosure issue in SharePoint Server 2013. If a user has multiple tenants on SharePoint, the information disclosure issue could allow authenticated users to view other users’ documents in SharePoint.

MS13-031 is a Windows kernel elevation of privilege issue. There are two CVEs addressed here that would allow a local low rights user to be elevated to system level access. One of the interesting things to note is that while one CVE affects all versions of Windows, the other affects only Windows 8 and is the result of faster, newer hardware for the Windows 8 system.

MS13-032 fixes a denial of service vulnerability in Active Directory affecting all versions of Active Directory and ADAM, which is the Active Directory Application Mode that serves as the lightweight version of Active Directory. An attacker in the Active Directory domain could send a malformed LDS request. When the request is processed, the server becomes stuck in a memory loop. The server will recover when the request is processed, but an attacker could continue sending requests to sustain the attack. This is an important vulnerability, but if you are running an Active Directory server, you really need to update this quickly.

Next is MS13-033, which affects CSRSS, a core Windows component. This is a memory corruption vulnerability that would allow a low-right user system level access, but does not affect newer versions of Windows.

MS13-034 is an elevation of privilege vulnerability in Windows Defender on Windows 8. An unquoted path error would allow an attacker to change the default mode strings or load order, effectively allowing the attacker to point to different binaries to load, instead of what’s intended by the OS. This would require an attacker had already loaded malicious binary to the machine, which is why it is ranked important rather than critical. By quoting the path, the binaries would be locked, and the risk would be mitigated.

MS13-035 is an HTML sanitization issue. We’ve had a couple of these over the last year; the last time Microsoft updated this was MS12-066. Typically, an HTML sanitization issue needs to be cleaned up across multiple products and this is no different, affecting Office, InfoPath and SharePoint Server 2010.

MS13-036 is another kernel mode drivers issue, similar to the other kernel issue this month. There are four CVEs for this patch. Three allow a local user to use kernel raise conditions to elevate to system access. The fourth CVE is a moderate elevation of privilege issue, which is unusual for Microsoft. To leverage this CVE, an attacker would need to be an admin, which removes the need to leverage it. Alternatively a low rights user would need to use a specially crafted external device, such as a USB. Last month, Microsoft had an interesting USB bug that got a lot of attention. This is nothing like that. Last month’s bug allowed computers to be attack regardless of the user’s log in status. This month’s bug only allows a logged on, active system to be attacked, so log on credentials are required. There are easier ways for an attacker to get in.