BeyondTrust

Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients

Post by BeyondTrust Research Team February 12, 2013

It’s that time again, folks. This month’s Patch Tuesday brings us an assortment of client side vulnerabilities, from vulnerabilities affecting Internet Explorer to Exchange to TCP/IP, and much more. A total of 57 vulnerabilities are addressed across a spread of 12 bulletins, five of which are rated critical.

There are quite a few client side vulnerabilities this month, with Internet Explorer contributing this month with 14 vulnerabilities spread across two bulletins (MS13-009 and MS13-010). It’s just so messed up that it couldn’t be fixed in one bulletin. In all fairness to Microsoft, though, they managed to make it by this month without having to address any Office vulnerabilities. However, the .NET Framework didn’t catch such an easy break, getting pegged with a patch to address an elevation of privilege vulnerability in MS13-015. Include those bugs with an OLE Automation vulnerability being patched in MS13-020, and you’ve got yourself a well-rounded collection of client-sided vulnerabilities that would make any attacker targeting an unpatched system giddy.

Oracle strikes again this month with four vulnerabilities being bestowed upon two Microsoft products: Exchange (MS13-012) and FAST Search Server 2010 for SharePoint (MS13-013), each receiving fixes for two vulnerabilities. This is not the first time we’ve seen Oracle Outside In vulnerabilities affecting Microsoft products. Back in August, Exchange received an update addressing multiple Oracle Outside In vulnerabilities in MS12-058, and in October, FAST Search Server 2010 for SharePoint had its own collection of CVEs addressed in MS12-067. As we predicted in August 2012, more Outside In vulnerabilities have been found that affect Microsoft Exchange. We believe this trend of 3rd party vulnerabilities affecting Microsoft products will continue to be observed in the future.

This month brings along fixes for multiple publicly disclosed vulnerabilities. It should be noted that Microsoft lists vulnerabilities previously fixed in 3rd party products as publicly disclosed (Oracle Outside In within MS13-012 and MS13-013), even though these vulnerabilities have not necessarily been directly disclosed by researchers or observed being exploited in the wild. That being said, there are also publicly disclosed vulnerabilities in DirectShow’s Media Decompression mechanism (MS13-011) and in the Client/Server Run-time Subsystem (MS13-019), addressing a remote code execution vulnerability and an elevation of privilege vulnerability respectively.

The TCP/IP vulnerability addressed this month looks like it could be a pretty nasty one. It is an unauthenticated remote denial of service vulnerability affecting versions of Windows from Vista and onward, with no available workarounds. We’re still investigating how difficult it is to trigger this vulnerability, but it appears to have the potential to be quite a potent vulnerability. In the other corner of the Microsoft server vulnerability match, we’ve got a bug in NFS Server being patched (MS13-014), which could lead to a denial of service condition that could be exploited by authenticated attackers.

Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month.

And that wraps up this month’s patch cycle. Make sure to prioritize patches for Internet Explorer (MS13-009), the .NET Framework (MS13-015), and Microsoft Exchange (MS13-012), and get the rest of the patches rolled out as soon as you can.

Patch Tuesday Assessment
Let us take you through each patch at our monthly Vulnerability Expert Forum. Starting tomorrow, Wednesday, February 13 at 1pm PT. We’ll walk you through the Patch Tuesday releases and cover other news from the past month. Sign up for free today.

Tags:

Leave a Reply

5 Responses to “February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients”

  1. Ken

    Trusting Oracle security is a good question, but tying the question to Java is a shot across their
    bow from the good ship lollypop.

    While Oracle has responsibility for Java now, the problems were inherited with the purchase of Sun.
    I would judge them by their responsiveness to
    security issues going forward rather then with
    problems found in the existing code.

    Having said that, Oracle’s Unbreakable Linux is
    anything but, so short answer is no, I don’t trust
    them explicitly.

    February 13, 2013 1:42:43, Reply
  2. Micah

    While Oracle has taken quite a beating with Java has been the BANE of my existence for many years. I often find that need multiple copies of Java installed on by fricking system just to ensure that I can manage all of my devices. Oh you have are managing an firewall through the GUI you need this copy, you want to interact with virus console you need this one, and let’s not talk about needing different versions to surf the freaking web. Honestly, why in the bloody sands of Arrakis do I currently have seven different versions of Java on my system making me vulnerable, but I cannot upgrade for fear of losing compatibility with my tools that protect my network. GET IT TOGETHER ORICLE if you want one language to rule all the systems then we should have one version to run the code. Honestly Frodo, Smigel, and Sam were all obsessed with the ONE RING. As an IT Security engineer how sad is it that I am obsessed with finding the ONE Java version that will run all of my tools!

    February 13, 2013 1:45:28, Reply
  3. Jim

    Oracle has the same sort of problems with its products (especially its aquired products, like Java) that Microsoft had 10 or even 5 years ago. Oracle will start speding the money and doing things better as the market demands it and/or the pain to Oracle reputation and market share gets intolerable. However – would I trust Oracle? Well, do I have a choice not to?

    February 13, 2013 1:50:09, Reply
  4. Eddie

    In reqards to the Oracle trust question: “Trusting actions speaks louder than words”. We hear all the time how things “WILL” be worked on rather than seeing it being done. Oracle is a big company and very diversed as a whole, but Java has been none the least a huge undertaking with the amount of vulnerabilities. Though, as “big” as Oracle is, I find it very strange they have not been able to finally tighten Java once and for all. It does raise another question, “What other products owned by Oracle are trustworthy?”. Seems as though they are placing their financial expenditures in the areas where they think it brings more value, rather than fixing this one thing that is (has) tarnished their reputation.

    February 15, 2013 10:00:20, Reply
  5. Greg

    Why pick on Oracle?

    Gee, which IT products are >truly< awesome? Check out this handy cross-reference (or, Wall of Shame) showing which vendor has the most vulns: http://www.cvedetails.com/top-50-vendor-cvssscore-distribution.php . Oracle is in the top five, for certain, but they are an also-ran if you use the Weighted Average ('sup Adobe?).

    Beyond software, what about fails in our broader IT implementations? Imperva roiled the waters several months ago with a study that suggested AV protection was circling the drain ( http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf ) Many derided their approach, but no one is saying that AV is awesome.

    Perimeter firewalls need additional products to be able to address the issues we expect them to handle, since they aren't up to the job of effectively protecting things that sit right behind them, like web applications.

    This Oracle thing, bad as it is, is just today's news. Tomorrow someone else will stand in the uncomfortable glare. We have short memories.

    And, mostly, we're evidently fine with continuing to pay for (or, in the case of Java, accept) poor solutions. If this really mattered to us, we'd be doing something different. We'd be holding vendors to a higher standard or walking away from them.

    March 14, 2013 4:31:08, Reply

Additional articles

BI-Qualys-Connector-IMG1

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
Tags:
, , , , , , , ,
insider-threat-fed

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
Tags:
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
Tags:
, , , , ,