Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

April 2013 Patch Tuesday

Posted April 9, 2013    BeyondTrust Research Team

Patch Tuesday is here again, and April’s collection of patches will fix vulnerabilities across various pieces of Microsoft operating systems and software. This includes Internet Explorer, the Remote Desktop Client, SharePoint, the Windows kernel (and some kernel-mode drivers), Active Directory, the Windows Client/Server Run-time Subsystem (CSRSS), Microsoft Antimalware Client, and an HTML sanitization component in various products like Office and Microsoft server software. In total, there are nine bulletins (2 critical and 7 important), which fix 14 vulnerabilities.

While Internet Explorer did get patched this month (MS13-028), it did not receive a fix for the recently disclosed zero-day. Instead, the patch addresses two use after free vulnerabilities that both affect every supported version of Internet Explorer (versions 6 through 10). Attackers will be looking into how to exploit these two vulnerabilities, since attackers can target multiple versions of Internet Explorer through the use of only a couple vulnerabilities, so it is important to deploy this patch as soon as possible.

In addition to the Internet Explorer patch, there is a fix provided for a vulnerability within the Microsoft Remote Desktop client (MS13-029). This patch fixes a use after free vulnerability that exists within the Remote Desktop client ActiveX control, mstscax.dll. Attackers can exploit this vulnerability by luring victims to attacker-controlled websites hosting malicious ActiveX controls. When viewed, the vulnerability would be exploited, granting attackers the ability to execute arbitrary code in the context of the user. Therefore, it is very important to get this patch rolled out as soon as possible.

Three patches this month focus on patching server software. MS13-030 fixes an information disclosure vulnerability affecting only the latest version of SharePoint Server, 2013. Attackers that exploit this vulnerability will be able to access SharePoint list items that would normally not be accessible to them. This vulnerability has been publicly disclosed, but it has not been seen exploited in the wild at the time of patch release. MS13-032 addresses a denial of service vulnerability in Active Directory, which affects every supported version of Windows, with the exception of Itanium-based Server 2008/2008 R2 installations and Windows RT. Attackers could send a malicious LDAP query that would exploit this vulnerability, exhausting the system’s memory, causing a denial of service. MS13-035 fixes an issue within the HTML Sanitization component found in various software packages like Microsoft InfoPath, SharePoint Server, Groove Server, SharePoint Foundation, and Office Web Apps. An attacker that successfully exploited this vulnerability would be able to execute scripts in a context that is not normally permitted, allowing the attacker to read restricted data or perform unauthorized actions on behalf of logged on users that opened links sent by the attacker. While this vulnerability was not publicly disclosed, it has been reportedly used in the wild in targeted attacks.

Four patches in this month’s collection address elevation of privilege vulnerabilities in various pieces of software. MS13-034 addresses an issue within Microsoft Antimalware Client, which grants an elevation of privilege to LocalSystem for locally authenticated attackers exploiting the vulnerability. It’s noteworthy that MS13-034 addresses an issue that only exists within Windows Defender for Windows 8 and Windows RT, while Windows Defender for all other versions of Windows is unaffected. MS13-031 fixes two race condition vulnerabilities, affecting every supported version of Windows, which could be exploited by locally authenticated attackers to read arbitrary amounts of memory in the kernel. MS13-033 provides a fix for a memory corruption vulnerability in the Windows Client/Server Run-time Subsystem (CSRSS), affecting Windows XP, Server 2003, Vista, and Server 2008. For most systems, exploitation of this vulnerability would lead to a denial of service condition until the system is restarted, but for XP 64-bit and Server 2003, attackers could leverage the vulnerability to elevate their privileges to LocalSystem. This bug is less likely to see interest from attackers in the near future. Lastly, MS13-036 fixes four vulnerabilities in a kernel-mode driver; one vulnerability, CVE-2013-1293, has been publicly disclosed. One vulnerability within this bulletin, CVE-2013-1283, affects every supported version of Windows. With any of these privilege elevation vulnerabilities fixed in these bulletins, they become particularly potent when combined with a browser-based exploit, such as one targeting MS13-028 or MS13-029. With such an exploit combination, attackers can go from no code execution on a system to complete system compromise with just two exploits, so it is important to get these patches rolled out.

So be sure to get MS13-028 and MS13-029 patched as soon as possible, followed by the rest of the patches right after that. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, April 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

Update 4-11-13: Microsoft has released a support article stating that after installing MS13-036 on Windows 7 systems, some users are unable to recover from restarts and some applications will not load. It is recommended that users uninstall KB2823324 from MS13-036 until further notice.

Update 4-23-13: Microsoft has released KB2840149 to replace KB2823324. MS13-036 has the updated patch.

, , ,

Leave a Reply

Additional articles

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

, , , , ,
PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

, ,