Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

August 2013 Patch Tuesday

Posted August 13, 2013    BeyondTrust Research Team

Just a little over one week after hackers flooded Vegas for BlackHat and Defcon, August’s Patch Tuesday greets us with eight bulletins: three critical and five important. Software fixed this month includes Internet Explorer, Exchange, Windows, and Active Directory.

MS13-059 addresses 11 privately disclosed vulnerabilities, including multiple memory corruptions, an information disclosure, and a privilege elevation vulnerability. This month is no different from recent months where we have seen many memory corruptions addressed in Internet Explorer. Additionally, both the information disclosure vulnerability (CVE-2013-3192) and one of the memory corruption vulnerabilities (CVE-2013-3199) affect every version supported of Internet Explorer. Of note is the privilege elevation vulnerability (CVE-2013-3186) that allows attackers to elevate their privileges from a low integrity level to a medium integrity level. Alone, the vulnerability does not permit code execution, but would instead be combined with another vulnerability to gain code execution with user rights. Deploy this patch as soon as possible.

MS13-060 fixes a privately reported vulnerability in the Unicode Scripts Processor, which is used by Windows and other third party software. The vulnerability only affects XP and Server 2003 installations. Because this vulnerability lies within a shared component found in the operating system, used by third party applications, the attack vectors are far more widespread. Any application that exposes the vulnerable portion of the Unicode Scripts Processor is susceptible to exploitation by attackers. The most likely attack vectors would be via a crafted document to be opened by an application, which would exploit the vulnerability and allow the attacker’s code to execute on the vulnerable system. Make sure to roll this patch out as soon as you can.

MS13-061 remedies three publicly disclosed vulnerabilities, which have not yet been seen exploited in the wild. The vulnerabilities are listed as publicly disclosed because they were disclosed in a patch provided by Oracle for Oracle Outside In. Because Oracle Outside In libraries are used by Exchange, Microsoft is releasing a patch to fix the same issues previously disclosed by Oracle. These affect Exchange Server 2007, 2010, and 2013 (Note: the patch for Exchange 2013 has been pulled. See VEF Question & Comments at the bottom of this post). Two of the vulnerabilities permit an attacker to execute arbitrary code on a vulnerable Exchange Server with the same rights as the LocalService account. These two vulnerabilities are within the WebReady Document Viewing feature, which we have seen patched multiple times over the last year (MS12-058, MS12-080, and MS13-012). Oracle continues to give Microsoft and Exchange a consistent black eye.

MS13-062 addresses a vulnerability in Windows, dealing with asynchronous remote procedure calls (RPC). This vulnerability, affecting every supported version of Windows, can lead to an elevation of attacker’s privileges on a system, by initiating a malformed RPC request on a shared host.

MS13-063 fixes one publicly disclosed security feature bypass and three privately reported memory corruptions, all occurring within the Windows Kernel. The security feature bypass allows an attacker to bypass address space layout randomization (ASLR), which is necessary to exploit certain types of vulnerabilities. The three memory corruptions occur within the NT virtual DOS machine (NTVDM), which has seen its fair share of vulnerabilities over the years. Attackers that exploit the NTVDM bugs could gain the ability to execute arbitrary code in the kernel.

MS13-064 addresses a denial of service vulnerability on Windows Server 2012, dealing with the NAT driver. Unauthenticated attackers could exploit this by sending malicious ICMP packets to an affected system. MS13-065, fixes a vulnerability in ICMPv6 for all supported Windows systems, excluding XP and Server 2003. This denial of service vulnerability (unrelated to MS13-064) could similarly be triggered by sending malicious ICMPv6 packets to affected systems by an unauthenticated attacker.

Lastly, MS13-066 addresses a privately disclosed information disclosure vulnerability in Active Directory Federation Services. This would allow attackers to gain information about accounts through an open endpoint.

Be sure to patch Internet Explorer (MS13-059) as soon as possible, along with the Unicode Scripts Processor (MS13-060), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, August 14 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

The giveaway question this month is: Are you currently monitoring/reporting/auditing Google Apps usage in your environment? If not, why not? If so, how?

Answer the questions in the comments below, by Friday, August 16 5pm PT. We’ll notify a winner next week!

>> VEF News Articles

Samsung co-CEO: We want Tizen to be on everything
Tor Anonymity Cracked; FBI Investigation Role Questioned

IT Admin:
Hackers use Android ‘master key’ exploit in China
BlackBerry 10 makes email passwords for NSA and GCHQ accessible

Mozilla/Blackberry to Collaboratively Work on Peach Fuzzer
Signed Mac Malware Using Right-to-Left Override Trick

>> VEF Questions & Comments

Troy noted that MS13-061 has been pulled for Exchange 2013. More information can be found at the Exchange Team Blog. Nice catch, Troy – we appreciate it.

Alan asked, “What do you know regarding the rerelease of MS13-052?“. The answer from Microsoft is that there were issues with the original bulletin patch contents, as described in KB2872441 and KB2872041. TL;DR  SharePoint applications and .NET applications were throwing exceptions because of the patch, and they rereleased the bulletin with a fix.

Craig asked, “Regarding MS13-063.  Microsoft mentioned during their webcast today that 64BIT systems are not affected.  Would you agree?” We cleared this up a bit during the VEF, primarily by noting that the elevation of privilege vulnerabilities did NOT affect x64 systems, but that the ASLR bypass did. Overall, MS13-063 contained patches for both x86 and x64.

Shawn wanted to know if we had a list of general tips… we don’t have a blog post listing general IT admin/infosec tips yet, but we do have a great starter tool, In Configuration We Trust.

Thanks again for everyone’s insightful questions and commentary. We appreciate it greatly as it adds to everyone’s knowledge base. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly


Leave a Reply

7 Responses to “August 2013 Patch Tuesday”

  1. Jeffrey

    We do monitor Google Apps usage, after discovering that one of our support technicians was using Google Drive to copy customer files to their own account; supposedly to facilitate moving files to another computer for the customer. This is obviously a gigantic security concern, which we take very seriously. Had we not been monitoring Google Apps, a rogue employee could have caused incredible damage to our reputation and/or our customers.

    August 14, 2013 1:29:02, Reply
  2. Tony Le

    Are you currently monitoring/reporting/auditing Google Apps usage in your environment? If not, why not? If so, how?

    In our test environment, yes – we are planning to do that as we are still looking for ways on how to monitor Google Apps effectively. We are talking to some vendors.

    In the production environment, we have not implemented Google Apps yet.

    August 14, 2013 1:36:45, Reply
  3. shawn

    no. what’s Google Apps? we’re married to microsoft…not allowed to covet our neighbor’s wife.

    August 14, 2013 1:40:01, Reply
  4. Karla

    We do not currently monitor, report or audit Google Apps. We do not use Google Apps in our environment, officially and find it highly doubtful that anyone is using Google Apps unofficially those are blocked by Policy through our Web Security Appliances

    August 14, 2013 1:41:00, Reply
  5. Troy

    No Google Apps use here so no monitoring needed – but who would be crazy enough to use Google Apps based on this headline?

    Google filing says Gmail users have no expectation of privacy

    In motion to dismiss a data-mining lawsuit, Web giant says people have “no legitimate expectation of privacy in information” voluntarily turned over to third parties.

    August 14, 2013 1:46:20, Reply
  6. William

    We monitor and block Google and other cloud apps at the network gateway. We us a combination of firewall and proxy servers to restrict access to non approved online applications, of which we block most Google apps. We do allow Google mail, but we restrict the file attachment through rules at the network gateway.

    August 14, 2013 1:58:36, Reply
  7. T.B. Fitzgerald

    I only enable Google Apps that are necessary and monitor as-needed. If you bestow trust in an app and store data off-site then it’s a calculated risk. Monitoring and auditing the actual data within the apps is more difficult; people unknowingly leak confidential information and plugging that leak can be challenging. Not all environments are created equally. It takes planning, protocol, and execution in order to successfully monitor/audit. Reports, however, are only as good as your metrics.

    August 14, 2013 3:19:04, Reply

Additional articles


6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.


Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

, ,

On Demand Webinar: Security Risk of Mac OS X in the Enterprise

Posted August 20, 2015    BeyondTrust Software

In the last several years, Mac administrators have come to realize that they may be just as vulnerable to exploits and malware as most other operating systems. New malware and adware is released all the time, and there have been serious vulnerabilities patched by Apple in the past several years, some of which may afford attackers full control of your systems.

, ,