BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients

Posted February 12, 2013    BeyondTrust Research Team

It’s that time again, folks. This month’s Patch Tuesday brings us an assortment of client side vulnerabilities, from vulnerabilities affecting Internet Explorer to Exchange to TCP/IP, and much more. A total of 57 vulnerabilities are addressed across a spread of 12 bulletins, five of which are rated critical.

There are quite a few client side vulnerabilities this month, with Internet Explorer contributing this month with 14 vulnerabilities spread across two bulletins (MS13-009 and MS13-010). It’s just so messed up that it couldn’t be fixed in one bulletin. In all fairness to Microsoft, though, they managed to make it by this month without having to address any Office vulnerabilities. However, the .NET Framework didn’t catch such an easy break, getting pegged with a patch to address an elevation of privilege vulnerability in MS13-015. Include those bugs with an OLE Automation vulnerability being patched in MS13-020, and you’ve got yourself a well-rounded collection of client-sided vulnerabilities that would make any attacker targeting an unpatched system giddy.

Oracle strikes again this month with four vulnerabilities being bestowed upon two Microsoft products: Exchange (MS13-012) and FAST Search Server 2010 for SharePoint (MS13-013), each receiving fixes for two vulnerabilities. This is not the first time we’ve seen Oracle Outside In vulnerabilities affecting Microsoft products. Back in August, Exchange received an update addressing multiple Oracle Outside In vulnerabilities in MS12-058, and in October, FAST Search Server 2010 for SharePoint had its own collection of CVEs addressed in MS12-067. As we predicted in August 2012, more Outside In vulnerabilities have been found that affect Microsoft Exchange. We believe this trend of 3rd party vulnerabilities affecting Microsoft products will continue to be observed in the future.

This month brings along fixes for multiple publicly disclosed vulnerabilities. It should be noted that Microsoft lists vulnerabilities previously fixed in 3rd party products as publicly disclosed (Oracle Outside In within MS13-012 and MS13-013), even though these vulnerabilities have not necessarily been directly disclosed by researchers or observed being exploited in the wild. That being said, there are also publicly disclosed vulnerabilities in DirectShow’s Media Decompression mechanism (MS13-011) and in the Client/Server Run-time Subsystem (MS13-019), addressing a remote code execution vulnerability and an elevation of privilege vulnerability respectively.

The TCP/IP vulnerability addressed this month looks like it could be a pretty nasty one. It is an unauthenticated remote denial of service vulnerability affecting versions of Windows from Vista and onward, with no available workarounds. We’re still investigating how difficult it is to trigger this vulnerability, but it appears to have the potential to be quite a potent vulnerability. In the other corner of the Microsoft server vulnerability match, we’ve got a bug in NFS Server being patched (MS13-014), which could lead to a denial of service condition that could be exploited by authenticated attackers.

Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month.

And that wraps up this month’s patch cycle. Make sure to prioritize patches for Internet Explorer (MS13-009), the .NET Framework (MS13-015), and Microsoft Exchange (MS13-012), and get the rest of the patches rolled out as soon as you can.

Patch Tuesday Assessment
Let us take you through each patch at our monthly Vulnerability Expert Forum. Starting tomorrow, Wednesday, February 13 at 1pm PT. We’ll walk you through the Patch Tuesday releases and cover other news from the past month. Sign up for free today.

Tags:

Leave a Reply

5 Responses to “February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients”

  1. Ken

    Trusting Oracle security is a good question, but tying the question to Java is a shot across their
    bow from the good ship lollypop.

    While Oracle has responsibility for Java now, the problems were inherited with the purchase of Sun.
    I would judge them by their responsiveness to
    security issues going forward rather then with
    problems found in the existing code.

    Having said that, Oracle’s Unbreakable Linux is
    anything but, so short answer is no, I don’t trust
    them explicitly.

    February 13, 2013 1:42:43, Reply
  2. Micah

    While Oracle has taken quite a beating with Java has been the BANE of my existence for many years. I often find that need multiple copies of Java installed on by fricking system just to ensure that I can manage all of my devices. Oh you have are managing an firewall through the GUI you need this copy, you want to interact with virus console you need this one, and let’s not talk about needing different versions to surf the freaking web. Honestly, why in the bloody sands of Arrakis do I currently have seven different versions of Java on my system making me vulnerable, but I cannot upgrade for fear of losing compatibility with my tools that protect my network. GET IT TOGETHER ORICLE if you want one language to rule all the systems then we should have one version to run the code. Honestly Frodo, Smigel, and Sam were all obsessed with the ONE RING. As an IT Security engineer how sad is it that I am obsessed with finding the ONE Java version that will run all of my tools!

    February 13, 2013 1:45:28, Reply
  3. Jim

    Oracle has the same sort of problems with its products (especially its aquired products, like Java) that Microsoft had 10 or even 5 years ago. Oracle will start speding the money and doing things better as the market demands it and/or the pain to Oracle reputation and market share gets intolerable. However – would I trust Oracle? Well, do I have a choice not to?

    February 13, 2013 1:50:09, Reply
  4. Eddie

    In reqards to the Oracle trust question: “Trusting actions speaks louder than words”. We hear all the time how things “WILL” be worked on rather than seeing it being done. Oracle is a big company and very diversed as a whole, but Java has been none the least a huge undertaking with the amount of vulnerabilities. Though, as “big” as Oracle is, I find it very strange they have not been able to finally tighten Java once and for all. It does raise another question, “What other products owned by Oracle are trustworthy?”. Seems as though they are placing their financial expenditures in the areas where they think it brings more value, rather than fixing this one thing that is (has) tarnished their reputation.

    February 15, 2013 10:00:20, Reply
  5. Greg

    Why pick on Oracle?

    Gee, which IT products are >truly< awesome? Check out this handy cross-reference (or, Wall of Shame) showing which vendor has the most vulns: http://www.cvedetails.com/top-50-vendor-cvssscore-distribution.php . Oracle is in the top five, for certain, but they are an also-ran if you use the Weighted Average ('sup Adobe?).

    Beyond software, what about fails in our broader IT implementations? Imperva roiled the waters several months ago with a study that suggested AV protection was circling the drain ( http://www.imperva.com/docs/HII_Assessing_the_Effectiveness_of_Antivirus_Solutions.pdf ) Many derided their approach, but no one is saying that AV is awesome.

    Perimeter firewalls need additional products to be able to address the issues we expect them to handle, since they aren't up to the job of effectively protecting things that sit right behind them, like web applications.

    This Oracle thing, bad as it is, is just today's news. Tomorrow someone else will stand in the uncomfortable glare. We have short memories.

    And, mostly, we're evidently fine with continuing to pay for (or, in the case of Java, accept) poor solutions. If this really mattered to us, we'd be doing something different. We'd be holding vendors to a higher standard or walking away from them.

    March 14, 2013 4:31:08, Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,