Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

December 2013 Patch Tuesday

Posted December 10, 2013    BeyondTrust Research Team

December’s Patch Tuesday finishes up the year with patches for Internet Explorer, Office, SharePoint, Windows, and more. There are a total of 11 bulletins addressing 24 unique vulnerabilities; five bulletins are rated as critical and the other six are rated as important.

The zero-day vulnerability released just before last month’s Patch Tuesday is finally receiving a fix in MS13-096. CVE-2013-3906 affects Windows Vista, Server 2008, Office 2003/2007/2010, and Lync 2010/2013. This was originally disclosed in an advisory in November, along with an accompanying Fix It solution. This vulnerability has been exploited successfully in targeted attacks and exploits for it exist within publicly available exploit frameworks. Patch this vulnerability as soon as you can.

It is worth noting that the second zero-day vulnerability disclosed in November, CVE-2013-5065, is not receiving a patch this month. This elevation of privilege vulnerability affects both Windows XP and Server 2003. A workaround is available, but it breaks functionality such as VPN networking. A fix is forthcoming, but with no date publicly announced.

MS13-097 addresses multiple vulnerabilities within Internet Explorer and MS13-099 addresses a privately reported vulnerability in the Windows Scripting runtime (distributed with every version of Windows). These were all privately reported; none were seen exploited in the wild. Vulnerabilities addressed in both bulletins could be exploited in drive-by attacks where an attacker lures a victim to a page and is able to exploit their system to allow the attacker’s code to run in the context of the current user. Of note is CVE-2013-5048 in MS13-097, which attackers will find interesting since it affects every supported version of Internet Explorer. Roll this patch out as soon as possible.

Next is MS13-098, which addresses a privately reported vulnerability in every supported version of Windows. The vulnerability lies within the WinVerifyTrust signature validation mechanism in Windows. Attackers could use this vulnerability to make changes to a signed program without invalidating the program’s signature. This would be useful in social engineering situations where attackers would need to convince a user that a signed executable is legitimate and has been guaranteed to be safe by a trustworthy source. The executable would be signed by a trustworthy source, but it would execute the attacker’s code, while keeping the file’s signature intact. Exploits targeting this vulnerability have been seen in the wild, so deploy this patch as soon as possible.

MS13-100 brings a fix for SharePoint 2010 and 2013. The patch addresses a remote code execution vulnerability, which is not normally seen in SharePoint. Typically, SharePoint has vulnerabilities like cross-site scripting that typically grant information disclosure, so this will peak the interest of attackers more than usual. The attack vector remains the same: send malicious page content to the server. When this content is processed, the attacker’s code would be executed within the same context as the W3WP service account.

Some elevation of privilege vulnerabilities in Windows are patched this month with MS13-101 (Windows kernel) and MS13-102 (Windows Local Procedure Call). Vulnerabilities addressed in both bulletins permit elevation of the attacker’s code into higher security contexts. This would be useful for attackers wishing to hide their presence on a system. MS13-101 also fixes a couple denial of service vulnerabilities caused by font parsing and integer overflow vulnerabilities. All of these vulnerabilities, except for the TrueType font parsing vulnerability, require that an attacker be locally on an affected system to successfully exploit it. The TrueType vulnerability can be exploited via drive-by attacks, but it only renders a denial of service condition, rather than code execution.

ASP.NET SignalR received a patch this month in MS13-103 that closed up an information disclosure vulnerability. This also affects Visual Studio Team Foundation Server 2013. The cross-site scripting vulnerability would permit an attacker to craft maliciously encoded input that, when opened by a user, would grant the attacker the ability to access resources normally only available the targeted user. Attackers would use this in targeted scenarios to gain perform actions on behalf of a user by socially engineering a user to open the malicious link.

Microsoft Office received two updates this month with MS13-104 addressing a privately reported token hijacking vulnerability and MS13-106 addressing a publicly disclosed ASLR bypass. The token hijacking vulnerability requires that a user view an Office document on a malicious website. This would permit an attacker to impersonate the user by stealing their access token and use it to authenticate against a separate targeted site, such as a SharePoint site. This would allow the attacker to perform actions on that SharePoint site on behalf of the user. The ASLR bypass would be used by attackers in combination with a separate vulnerability in order to craft a complete working exploit. Both of these vulnerabilities have been successfully exploited in the wild.

Finally, MS13-105 addresses four separate vulnerabilities in Microsoft Exchange. Two Oracle Outside In vulnerabilities were patched. These were previously addressed by Oracle in their own products, which is why they are marked as publicly disclosed. The MAC disabled vulnerability, CVE-2013-1330, was previously addressed in MS13-067 earlier this year, but in SharePoint. Therefore, because the vulnerability re-manifested in Exchange, it is marked as publicly disclosed. All of those vulnerabilities permit remote code execution if successfully exploited, but the MAC disabled vulnerability would permit it in the context of the Outlook Web Access service account. The final vulnerability addressed is a cross site scripting vulnerability in the Outlook Web Access interface. Patch this vulnerability as soon as possible.

Be sure to patch the GDI+ 0day (MS13-096), Internet Explorer (MS13-097), Windows (MS13-098), the Microsoft Scripting Runtime (MS13-099), and Exchange Server (MS13-105) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, December 11 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Air!

What is your 2014 security strategy/game plan? What are you planning to roll-out and focus on in 2014 and why?

Most insightful and/or awesome answer wins!

>> VEF News Articles

Microsoft Condemns US Government As An “Advanced Persistent Threat“
GCHQ Used Fake LinkedIn Pages to Target Engineers
NSA ‘infected’ 50,000 networks with malware

IT Admin:
BGP Hacking
Millions of Android users ‘deceived’ by flashlight app that shares location with advertisers

W8.1 KASLR Bypass
Prezi Bug Bounty Fail

, , ,

Leave a Reply

7 Responses to “December 2013 Patch Tuesday”

  1. Dan

    Our number one upcoming year initiative is to automate everything we can! Enterprise Security has grown so much the past couple years and touches everything that we have so many tools, checks, dat files, audits, reports, logs, updates, emails, vulnerabilities, traps, pings and patching processes that our staff is over loaded. So anything that we can automate and script a automated response for, we will. That’s why Beyond SaaS sounds interesting because it is one less server and one less database that we need to maintain, as well as it will consolidate two separate platforms for external and internal scanning, into one , thus saving even more time and money. Automate in 2014!

    December 11, 2013 1:51:59, Reply
  2. raphael

    My 2014 plan include: replace existing OS & software with Linux & opensource alternative to avoid known products like SharePoint, Android, Microsoft .. etc which are popular solutions designed by hackers.
    also I will put in place SIEM solution to monitor event and potential attack, with the use of honeypot to detect attack attempt.
    commercial or community solution as Beyond Products will be useful to identify remaining security breach.

    December 11, 2013 8:10:52, Reply
  3. Taylor

    The beginning of the year is always a good time to do an in depth security audit. One thing that I would like to do this year is verify that all of our servers fall under the guidelines of our server hardening policy. Another would be to go through group policy and clean up some of the unnecessary or redundant policies. Extra policies can be a security risk and can also greatly slow down user login times. One thing that has been hard to track is the information entering and leaving the company through our exchange server. In 2014 I plan to implement a script that will run monthly that silently gathers the previous month’s emails for all users and exports them as a .pst. Not only will we have those emails for future business references but also if a user ever decides to send out information that was not supposed to be sent out we have proof that they did.

    December 12, 2013 8:51:14, Reply
  4. Gregory

    For 2014, our main goal is to better detect the nasty things that have already gotten onto our network. We have all of the typical signature-based protections in place (ie. IPS/AV/ect), but I’m not confident that they are catching the newest malware that is out there, so we need something that can catch 0-days and network intrusions. On our wish list then are several things. 1. A better SIEM tool – Something that can better correlate logs and will make our investigations more efficient and effect. 2. NAC Solution – We need to be better at knowing what is on our network in order to prevent an unauthorized system from accessing it. 3. An APT detection service – something that detects botnets and external connections to catch those things that AV/IPS miss. Other projects for 2014 – Password safe (like Powerbroker), Data Masking, Phishing exercises, and a file system and AD auditing tool (like the Powerbroker).

    December 13, 2013 7:45:42, Reply
  5. Oliva

    Our game plan for 2014 will be atypical to New Year’s resolutions that (more often than not) are unsuccessful. We spent the better part of the year soaking in industry recommendations to architect a proactive game plan that will be flexible enough to manage our internal systems and robust enough to keep an eye on those in the cloud. We are confident we can achieve our resolution to better improve our security visibility. With security intelligence from companies like BeyondTrust, we will advance our growing SMB’s posture to that of an industry titan.

    December 13, 2013 8:54:56, Reply
  6. Eddie

    Our 2014 Security Game Plan is Getting “BeyondTrust” in the door! We are starting with “Power Broker” and hopefully able to leverage that contract with “Retina”. This is truly “Proactive Security” vs just “Security for Compliance”. Starting with the most vulnerable source of attacks, our client PCs. Most companies focus security from top to bottom, we are focusing “bottom to top” in 2014. My answer to the questions is not to sell the services, but to honestly share the awareness of the most common security vulnerability solution through BeyondTrust offerings since it’s not the common practice. Hopefully we can increase this awareness with the services provided world wide, as we have offices internationally in higher needs.

    December 13, 2013 4:18:59, Reply
  7. Ben

    Our 2014 security game plan includes a major upgrade and switch to a completely new patching architecture. We have gotten the approvals and money in place to finlly move on from the old and out of support system that was in place previously. We would struggle to reach 90% compliance after months, but should now be able to be above that within a week. The focus will be getting the new system rolled out globally to all endpoints as well as changing our patching and reporting methodologies to match the functionality of the new system. It is going to take some work, but will set us up for a much reduced threat posture and better support for many years to come.

    December 17, 2013 1:44:52, Reply

Additional articles


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.

3d image Data Breach issues concept word cloud background

Experian/T-Mobile Data Breach: When 2 Days is not Enough

Posted October 2, 2015    Morey Haber

On October 1, Experian admitted full responsibility for the loss of T-Mobile customer data. 15 million user records dating back to 2013 were effected in the breach, with data including sensitive information that may be decryptable like social security numbers and drivers licenses.


Who Moved My Front Door? (What is Privileged Account Management?)

Posted October 1, 2015    Nigel Hedges

Not too long ago, I was sitting in a room with a very fluffy sales guy. In between words such as “we’ll make this happen” and “leave it with me, I’ll get it sorted” he asked the question “What is Privileged Account Management”?