BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

April 2013 Patch Tuesday

Post by BeyondTrust Research Team April 9, 2013

Patch Tuesday is here again, and April’s collection of patches will fix vulnerabilities across various pieces of Microsoft operating systems and software. This includes Internet Explorer, the Remote Desktop Client, SharePoint, the Windows kernel (and some kernel-mode drivers), Active Directory, the Windows Client/Server Run-time Subsystem (CSRSS), Microsoft Antimalware Client, and an HTML sanitization component in various products like Office and Microsoft server software. In total, there are nine bulletins (2 critical and 7 important), which fix 14 vulnerabilities.

While Internet Explorer did get patched this month (MS13-028), it did not receive a fix for the recently disclosed zero-day. Instead, the patch addresses two use after free vulnerabilities that both affect every supported version of Internet Explorer (versions 6 through 10). Attackers will be looking into how to exploit these two vulnerabilities, since attackers can target multiple versions of Internet Explorer through the use of only a couple vulnerabilities, so it is important to deploy this patch as soon as possible.

In addition to the Internet Explorer patch, there is a fix provided for a vulnerability within the Microsoft Remote Desktop client (MS13-029). This patch fixes a use after free vulnerability that exists within the Remote Desktop client ActiveX control, mstscax.dll. Attackers can exploit this vulnerability by luring victims to attacker-controlled websites hosting malicious ActiveX controls. When viewed, the vulnerability would be exploited, granting attackers the ability to execute arbitrary code in the context of the user. Therefore, it is very important to get this patch rolled out as soon as possible.

Three patches this month focus on patching server software. MS13-030 fixes an information disclosure vulnerability affecting only the latest version of SharePoint Server, 2013. Attackers that exploit this vulnerability will be able to access SharePoint list items that would normally not be accessible to them. This vulnerability has been publicly disclosed, but it has not been seen exploited in the wild at the time of patch release. MS13-032 addresses a denial of service vulnerability in Active Directory, which affects every supported version of Windows, with the exception of Itanium-based Server 2008/2008 R2 installations and Windows RT. Attackers could send a malicious LDAP query that would exploit this vulnerability, exhausting the system’s memory, causing a denial of service. MS13-035 fixes an issue within the HTML Sanitization component found in various software packages like Microsoft InfoPath, SharePoint Server, Groove Server, SharePoint Foundation, and Office Web Apps. An attacker that successfully exploited this vulnerability would be able to execute scripts in a context that is not normally permitted, allowing the attacker to read restricted data or perform unauthorized actions on behalf of logged on users that opened links sent by the attacker. While this vulnerability was not publicly disclosed, it has been reportedly used in the wild in targeted attacks.

Four patches in this month’s collection address elevation of privilege vulnerabilities in various pieces of software. MS13-034 addresses an issue within Microsoft Antimalware Client, which grants an elevation of privilege to LocalSystem for locally authenticated attackers exploiting the vulnerability. It’s noteworthy that MS13-034 addresses an issue that only exists within Windows Defender for Windows 8 and Windows RT, while Windows Defender for all other versions of Windows is unaffected. MS13-031 fixes two race condition vulnerabilities, affecting every supported version of Windows, which could be exploited by locally authenticated attackers to read arbitrary amounts of memory in the kernel. MS13-033 provides a fix for a memory corruption vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS), affecting Windows XP, Server 2003, Vista, and Server 2008. For most systems, exploitation of this vulnerability would lead to a denial of service condition until the system is restarted, but for XP 64-bit and Server 2003, attackers could leverage the vulnerability to elevate their privileges to LocalSystem. This bug is less likely to see interest from attackers in the near future. Lastly, MS13-036 fixes four vulnerabilities in a kernel-mode driver; one vulnerability, CVE-2013-1293, has been publicly disclosed. One vulnerability within this bulletin, CVE-2013-1283, affects every supported version of Windows. With any of these privilege elevation vulnerabilities fixed in these bulletins, they become particularly potent when combined with a browser-based exploit, such as one targeting MS13-028 or MS13-029. With such an exploit combination, attackers can go from no code execution on a system to complete system compromise with just two exploits, so it is important to get these patches rolled out.

So be sure to get MS13-028 and MS13-029 patched as soon as possible, followed by the rest of the patches right after that. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, April 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

Update 4-11-13: Microsoft has released a support article stating that after installing MS13-036 on Windows 7 systems, some users are unable to recover from restarts and some applications will not load. It is recommended that users uninstall KB2823324 from MS13-036 until further notice.

Update 4-23-13: Microsoft has released KB2840149 to replace KB2823324. MS13-036 has the updated patch.

Tags:
, , ,

Leave a Reply

Additional articles

Vulnerability Expert Forum Highlights: April 2014

We had a great turnout for last week’s April 2014 Vulnerability Expert Forum (VEF) webcast. BeyondTrust Research experts, Carter and DJ, provided in-depth knowledge about the latest vulnerabilities and their potential impacts on network environments. Below are highlights from the Forum, plus an on-demand video of the presentation. Latest critical vulnerabilities, vendor patches, and zero-day…

Post by Chris Burd April 16, 2014
Tags:
, , , , ,
BI-5.1-user-asset-visibility-img

Understanding Who Has Access to What with BeyondInsight v5.1

Today, it’s my pleasure to introduce you to BeyondInsight version 5.1, the latest release of our IT Risk Management platform, which unifies several of our solutions for Privileged Account Management and Vulnerability Management. BeyondInsight v5.1 embodies BeyondTrust’s mission to give our customers the visibility they need to make smart decisions and reduce risk to their…

Post by Morey Haber April 15, 2014
Tags:
, , , , , , , , , , , ,

PowerBroker for Unix & Linux Now Available via Web Services

This week BeyondTrust released a fully functional Web Services interface (REST API) for its PowerBroker for Unix & Linux product.  With this new feature users of the solution will now be able to remotely and securely configure and retrieve data via the API.  The Web Services interface implemented by BeyondTrust is an industry standard that…

Post by Paul Harper April 10, 2014
Tags:
, , , , ,