• United States



Last Patch Tuesday of 2013 fixes 5 critical remote code execution flaws

Dec 10, 20136 mins
Data and Information SecurityMicrosoftSecurity

Hooray, it's the last Patch Tuesday of 2013!

It’s the last Patch Tuesday for 2013, hooray! Be prepared for multiple reboots; there are 11 patches, five of which are critical to fix remote code execution (RCE) holes.

According to Microsoft’s suggested deployment priority, start with these three critical patches; MS13-096 is the fix for the RCE in maliciously crafted TIFF image files that can be exploited via Word; MS13-097 requires a restart, but closes seven vulnerabilities in Internet Explorer; and MS13-099 kills a bug in Microsoft scripting runtime object library.

Recommended to be deployed second are two more critical RCE fixes; MS13-098 patches Windows, specifically a “vulnerability by modifying how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable files; it also requires a restart. MS13-105 “resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server.”

Of the six patches rated “Important,” four have an exploitability index of “1” for elevation of privilege (EoP). Microsoft suggested the following three be deployed second with the two critical fixes listed above:

MS13-100 “resolves multiple privately reported vulnerabilities in Microsoft Office server software” that “could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server.” MS13-101 will require rebooting, but fixes five privately reported vulnerabilities in Windows kernel-mode drivers.

MS13-102 closes a hole in Windows LRPC client. The “vulnerability could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client. An attacker who successfully exploited the vulnerability could then install programs; view, change, or delete data; or create new accounts with full administrator rights.” Lucky you, as this patch also requires a restart.

Of the last three patches recommended to be deployed third, only one has an exploitability index of “1.”

MS13-103 is the last EoP fix to close a vulnerability in ASP.NET SignalR. It’s “rated Important for ASP.NET SignalR versions 1.1.0, 1.1.1, 1.1.2, 1.1.3 and 2.0.0, and all supported editions of Microsoft Visual Studio Team Foundation Server 2013.”

MS13-104 closes a hole in Office that could allow information disclosure; the update is for supported editions of Microsoft Office 2013 and Microsoft Office 2013 RT software.

MS13-106 is rated as important, yet it is actively being exploited. Microsoft explained:

The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.

If you’re still on XP, like six agencies under DHS rule, then you are out of luck if you hoped Security Advisory 2914486, the critical zero-day attack on XP and Windows Server 2003, would be patched this month. Dustin Childs, of Microsoft’s Trustworthy Computing, announced, “We’re still working to develop a security update and we’ll release it when ready. Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue.”

Microsoft perhaps had hoped more customers would upgrade to Windows 8.1, as for a time the company announced the end of Windows 7 sales. However, after the unpleasant backlash, Microsoft backtracked on when it will stop selling Windows 7; the last sale date is now “to be determined.”

Yesterday, Microsoft released Security Advisory 2916652 regarding the Certificate Trust list (CTL) for all supported versions of Microsoft Windows to remove an improperly issued CA certificate; it could be used to attempt spoofing content, carrying out phishing attacks, or performing man-in-the-middle attacks.

Today, Microsoft released three more Security Advisories and revised one:

Security Advisory 2905247 warned that any ASP.NET site for which view state Machine Authentication Code (MAC) has become disabled through configuration settings is vulnerable to attack. “The vulnerability could allow elevation of privilege and affects all supported versions of Microsoft .NET Framework except .NET Framework 3.0 Service Pack 2 and Microsoft .NET Framework 3.5 Service Pack 1.”

Security Advisory 2871690 is “an update for Windows 8 and Windows Server 2012 that revokes the digital signatures for nine private, third-party UEFI (Unified Extensible Firmware Interface) modules that could be loaded during UEFI Secure Boot. When the update is applied, the affected UEFI modules will no longer be trusted and will no longer load on systems where UEFI Secure Boot is enabled. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. At the time of this release, these UEFI modules are not known to be available publicly.”

Security Advisory 2915720 “informs customers of an impending change to how Windows verifies Authenticode-signed binaries.” According to Microsoft, “This is an interesting advisory on an interesting topic.”

It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.

Lastly, Microsoft chose to revise “Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28.”

If you haven’t been bored to tears and dozed off by now, then Microsoft also included a video overview for the last Patch Tuesday of 2013.

Like this? Here’s more posts:

  • Hollywood’s anti-piracy propaganda turned into K-12 curriculum in California
  • How Microsoft invented, or invisibly runs, almost everything
  • Microsoft cybersecurity report warns users about the evils of clinging to XP
  • Drivers beware: Roadblocks where cops collect ‘voluntary’ blood and saliva samples
  • Microsoft fails to mention Skype in promises to protect users from NSA surveillance
  • 300-pound crime-predicting mobile robot: Crime-preventing precog or ‘R2D2’s evil twin’?
  • Porn-surfing corporate bosses infect networks, then keep data breaches a secret
  • Targeted attacks spotted in the wild exploiting Windows XP zero-day
  • LG Smart TV spying, owner claims his USB filenames posted on LG servers
  • 6 agencies under DHS rule still using Windows XP: IG finds DHS cybersecurity holes
  • LG Smart TV spying whiplash: LG removes Smart Ad video and changes statement

Follow me on Twitter @PrivacyFanatic

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.