BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

August 2013 Patch Tuesday

Posted August 13, 2013    BeyondTrust Research Team

Just a little over one week after hackers flooded Vegas for BlackHat and Defcon, August’s Patch Tuesday greets us with eight bulletins: three critical and five important. Software fixed this month includes Internet Explorer, Exchange, Windows, and Active Directory.

MS13-059 addresses 11 privately disclosed vulnerabilities, including multiple memory corruptions, an information disclosure, and a privilege elevation vulnerability. This month is no different from recent months where we have seen many memory corruptions addressed in Internet Explorer. Additionally, both the information disclosure vulnerability (CVE-2013-3192) and one of the memory corruption vulnerabilities (CVE-2013-3199) affect every version supported of Internet Explorer. Of note is the privilege elevation vulnerability (CVE-2013-3186) that allows attackers to elevate their privileges from a low integrity level to a medium integrity level. Alone, the vulnerability does not permit code execution, but would instead be combined with another vulnerability to gain code execution with user rights. Deploy this patch as soon as possible.

MS13-060 fixes a privately reported vulnerability in the Unicode Scripts Processor, which is used by Windows and other third party software. The vulnerability only affects XP and Server 2003 installations. Because this vulnerability lies within a shared component found in the operating system, used by third party applications, the attack vectors are far more widespread. Any application that exposes the vulnerable portion of the Unicode Scripts Processor is susceptible to exploitation by attackers. The most likely attack vectors would be via a crafted document to be opened by an application, which would exploit the vulnerability and allow the attacker’s code to execute on the vulnerable system. Make sure to roll this patch out as soon as you can.

MS13-061 remedies three publicly disclosed vulnerabilities, which have not yet been seen exploited in the wild. The vulnerabilities are listed as publicly disclosed because they were disclosed in a patch provided by Oracle for Oracle Outside In. Because Oracle Outside In libraries are used by Exchange, Microsoft is releasing a patch to fix the same issues previously disclosed by Oracle. These affect Exchange Server 2007, 2010, and 2013 (Note: the patch for Exchange 2013 has been pulled. See VEF Question & Comments at the bottom of this post). Two of the vulnerabilities permit an attacker to execute arbitrary code on a vulnerable Exchange Server with the same rights as the LocalService account. These two vulnerabilities are within the WebReady Document Viewing feature, which we have seen patched multiple times over the last year (MS12-058, MS12-080, and MS13-012). Oracle continues to give Microsoft and Exchange a consistent black eye.

MS13-062 addresses a vulnerability in Windows, dealing with asynchronous remote procedure calls (RPC). This vulnerability, affecting every supported version of Windows, can lead to an elevation of attacker’s privileges on a system, by initiating a malformed RPC request on a shared host.

MS13-063 fixes one publicly disclosed security feature bypass and three privately reported memory corruptions, all occurring within the Windows Kernel. The security feature bypass allows an attacker to bypass address space layout randomization (ASLR), which is necessary to exploit certain types of vulnerabilities. The three memory corruptions occur within the NT virtual DOS machine (NTVDM), which has seen its fair share of vulnerabilities over the years. Attackers that exploit the NTVDM bugs could gain the ability to execute arbitrary code in the kernel.

MS13-064 addresses a denial of service vulnerability on Windows Server 2012, dealing with the NAT driver. Unauthenticated attackers could exploit this by sending malicious ICMP packets to an affected system. MS13-065, fixes a vulnerability in ICMPv6 for all supported Windows systems, excluding XP and Server 2003. This denial of service vulnerability (unrelated to MS13-064) could similarly be triggered by sending malicious ICMPv6 packets to affected systems by an unauthenticated attacker.

Lastly, MS13-066 addresses a privately disclosed information disclosure vulnerability in Active Directory Federation Services. This would allow attackers to gain information about accounts through an open endpoint.

Be sure to patch Internet Explorer (MS13-059) as soon as possible, along with the Unicode Scripts Processor (MS13-060), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, August 14 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

The giveaway question this month is: Are you currently monitoring/reporting/auditing Google Apps usage in your environment? If not, why not? If so, how?

Answer the questions in the comments below, by Friday, August 16 5pm PT. We’ll notify a winner next week!

>> VEF News Articles

CxO:
Samsung co-CEO: We want Tizen to be on everything
Tor Anonymity Cracked; FBI Investigation Role Questioned

IT Admin:
Hackers use Android ‘master key’ exploit in China
BlackBerry 10 makes email passwords for NSA and GCHQ accessible

Researcher:
Mozilla/Blackberry to Collaboratively Work on Peach Fuzzer
Signed Mac Malware Using Right-to-Left Override Trick

>> VEF Questions & Comments

Troy noted that MS13-061 has been pulled for Exchange 2013. More information can be found at the Exchange Team Blog. Nice catch, Troy – we appreciate it.

Alan asked, “What do you know regarding the rerelease of MS13-052?“. The answer from Microsoft is that there were issues with the original bulletin patch contents, as described in KB2872441 and KB2872041. TL;DR  SharePoint applications and .NET applications were throwing exceptions because of the patch, and they rereleased the bulletin with a fix.

Craig asked, “Regarding MS13-063.  Microsoft mentioned during their webcast today that 64BIT systems are not affected.  Would you agree?” We cleared this up a bit during the VEF, primarily by noting that the elevation of privilege vulnerabilities did NOT affect x64 systems, but that the ASLR bypass did. Overall, MS13-063 contained patches for both x86 and x64.

Shawn wanted to know if we had a list of general tips… we don’t have a blog post listing general IT admin/infosec tips yet, but we do have a great starter tool, In Configuration We Trust.

Thanks again for everyone’s insightful questions and commentary. We appreciate it greatly as it adds to everyone’s knowledge base. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.

Tags:
,

Leave a Reply

7 Responses to “August 2013 Patch Tuesday”

  1. Jeffrey

    We do monitor Google Apps usage, after discovering that one of our support technicians was using Google Drive to copy customer files to their own account; supposedly to facilitate moving files to another computer for the customer. This is obviously a gigantic security concern, which we take very seriously. Had we not been monitoring Google Apps, a rogue employee could have caused incredible damage to our reputation and/or our customers.

    August 14, 2013 1:29:02, Reply
  2. Tony Le

    Are you currently monitoring/reporting/auditing Google Apps usage in your environment? If not, why not? If so, how?

    In our test environment, yes – we are planning to do that as we are still looking for ways on how to monitor Google Apps effectively. We are talking to some vendors.

    In the production environment, we have not implemented Google Apps yet.

    August 14, 2013 1:36:45, Reply
  3. shawn

    no. what’s Google Apps? we’re married to microsoft…not allowed to covet our neighbor’s wife.

    August 14, 2013 1:40:01, Reply
  4. Karla

    We do not currently monitor, report or audit Google Apps. We do not use Google Apps in our environment, officially and find it highly doubtful that anyone is using Google Apps unofficially those are blocked by Policy through our Web Security Appliances

    August 14, 2013 1:41:00, Reply
  5. Troy

    No Google Apps use here so no monitoring needed – but who would be crazy enough to use Google Apps based on this headline?

    Google filing says Gmail users have no expectation of privacy
    http://news.cnet.com/8301-1023_3-57598420-93/google-filing-says-gmail-users-have-no-expectation-of-privacy/?part=rss&subj=news&tag=title

    In motion to dismiss a data-mining lawsuit, Web giant says people have “no legitimate expectation of privacy in information” voluntarily turned over to third parties.

    August 14, 2013 1:46:20, Reply
  6. William

    We monitor and block Google and other cloud apps at the network gateway. We us a combination of firewall and proxy servers to restrict access to non approved online applications, of which we block most Google apps. We do allow Google mail, but we restrict the file attachment through rules at the network gateway.

    August 14, 2013 1:58:36, Reply
  7. T.B. Fitzgerald

    I only enable Google Apps that are necessary and monitor as-needed. If you bestow trust in an app and store data off-site then it’s a calculated risk. Monitoring and auditing the actual data within the apps is more difficult; people unknowingly leak confidential information and plugging that leak can be challenging. Not all environments are created equally. It takes planning, protocol, and execution in order to successfully monitor/audit. Reports, however, are only as good as your metrics.

    August 14, 2013 3:19:04, Reply

Additional articles

6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

Tags:
, , , , , ,
Triggering MS14-066

Triggering MS14-066

Posted November 17, 2014    BeyondTrust Research Team

Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed.  This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce.  Lets fix that. Looking at the bindiff of schannel.dll, we see a…

Tags:
, , , , ,