Just a little over one week after hackers flooded Vegas for BlackHat and Defcon, August’s Patch Tuesday greets us with eight bulletins: three critical and five important. Software fixed this month includes Internet Explorer, Exchange, Windows, and Active Directory.
MS13-059 addresses 11 privately disclosed vulnerabilities, including multiple memory corruptions, an information disclosure, and a privilege elevation vulnerability. This month is no different from recent months where we have seen many memory corruptions addressed in Internet Explorer. Additionally, both the information disclosure vulnerability (CVE-2013-3192) and one of the memory corruption vulnerabilities (CVE-2013-3199) affect every version supported of Internet Explorer. Of note is the privilege elevation vulnerability (CVE-2013-3186) that allows attackers to elevate their privileges from a low integrity level to a medium integrity level. Alone, the vulnerability does not permit code execution, but would instead be combined with another vulnerability to gain code execution with user rights. Deploy this patch as soon as possible.
MS13-060 fixes a privately reported vulnerability in the Unicode Scripts Processor, which is used by Windows and other third party software. The vulnerability only affects XP and Server 2003 installations. Because this vulnerability lies within a shared component found in the operating system, used by third party applications, the attack vectors are far more widespread. Any application that exposes the vulnerable portion of the Unicode Scripts Processor is susceptible to exploitation by attackers. The most likely attack vectors would be via a crafted document to be opened by an application, which would exploit the vulnerability and allow the attacker’s code to execute on the vulnerable system. Make sure to roll this patch out as soon as you can.
MS13-061 remedies three publicly disclosed vulnerabilities, which have not yet been seen exploited in the wild. The vulnerabilities are listed as publicly disclosed because they were disclosed in a patch provided by Oracle for Oracle Outside In. Because Oracle Outside In libraries are used by Exchange, Microsoft is releasing a patch to fix the same issues previously disclosed by Oracle. These affect Exchange Server 2007, 2010, and 2013 (Note: the patch for Exchange 2013 has been pulled. See VEF Question & Comments at the bottom of this post). Two of the vulnerabilities permit an attacker to execute arbitrary code on a vulnerable Exchange Server with the same rights as the LocalService account. These two vulnerabilities are within the WebReady Document Viewing feature, which we have seen patched multiple times over the last year (MS12-058, MS12-080, and MS13-012). Oracle continues to give Microsoft and Exchange a consistent black eye.
MS13-062 addresses a vulnerability in Windows, dealing with asynchronous remote procedure calls (RPC). This vulnerability, affecting every supported version of Windows, can lead to an elevation of attacker’s privileges on a system, by initiating a malformed RPC request on a shared host.
MS13-063 fixes one publicly disclosed security feature bypass and three privately reported memory corruptions, all occurring within the Windows Kernel. The security feature bypass allows an attacker to bypass address space layout randomization (ASLR), which is necessary to exploit certain types of vulnerabilities. The three memory corruptions occur within the NT virtual DOS machine (NTVDM), which has seen its fair share of vulnerabilities over the years. Attackers that exploit the NTVDM bugs could gain the ability to execute arbitrary code in the kernel.
MS13-064 addresses a denial of service vulnerability on Windows Server 2012, dealing with the NAT driver. Unauthenticated attackers could exploit this by sending malicious ICMP packets to an affected system. MS13-065, fixes a vulnerability in ICMPv6 for all supported Windows systems, excluding XP and Server 2003. This denial of service vulnerability (unrelated to MS13-064) could similarly be triggered by sending malicious ICMPv6 packets to affected systems by an unauthenticated attacker.
Lastly, MS13-066 addresses a privately disclosed information disclosure vulnerability in Active Directory Federation Services. This would allow attackers to gain information about accounts through an open endpoint.
Be sure to patch Internet Explorer (MS13-059) as soon as possible, along with the Unicode Scripts Processor (MS13-060), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, August 14 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.
>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!
The giveaway question this month is: Are you currently monitoring/reporting/auditing Google Apps usage in your environment? If not, why not? If so, how?
Answer the questions in the comments below, by Friday, August 16 5pm PT. We’ll notify a winner next week!
>> VEF News Articles
>> VEF Questions & Comments
Troy noted that MS13-061 has been pulled for Exchange 2013. More information can be found at the Exchange Team Blog. Nice catch, Troy – we appreciate it.
Alan asked, “What do you know regarding the rerelease of MS13-052?“. The answer from Microsoft is that there were issues with the original bulletin patch contents, as described in KB2872441 and KB2872041. TL;DR SharePoint applications and .NET applications were throwing exceptions because of the patch, and they rereleased the bulletin with a fix.
Craig asked, “Regarding MS13-063. Microsoft mentioned during their webcast today that 64BIT systems are not affected. Would you agree?” We cleared this up a bit during the VEF, primarily by noting that the elevation of privilege vulnerabilities did NOT affect x64 systems, but that the ASLR bypass did. Overall, MS13-063 contained patches for both x86 and x64.
Shawn wanted to know if we had a list of general tips… we don’t have a blog post listing general IT admin/infosec tips yet, but we do have a great starter tool, In Configuration We Trust.
Thanks again for everyone’s insightful questions and commentary. We appreciate it greatly as it adds to everyone’s knowledge base. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.