Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

January 2013 Patch Tuesday: Patches, but none for the IE 0day!

Posted January 8, 2013    BeyondTrust Research Team

Happy New Year! Starting off 2013, we’ve got a critical vulnerability within the Windows Print Spooler, and we’re still seeing bugs surface in widely used software like MSXML, the .NET framework, and SSL/TLS. January’s Patch Tuesday greets us with seven patches, addressing 12 vulnerabilities across a spectrum of Microsoft software. Two of these bulletins are rated critical, while the rest are rated important.

The first of the critical bulletins, MS13-001, addresses a critical remote code execution vulnerability in the Windows Print Spooler, which manages printing tasks that are sent to the system. According to preliminary details it appears an attacker would need to queue a specially crafted print job to a shared printer, once that print job was queued then an attacker would potentially be able to compromise systems that enumerate the shared printer queue. The catch, according to Microsoft, is that by default Windows itself does not enumerate shared printer queues in a vulnerable way but third-party printer management software does in some cases. In Microsoft’s bulletin, they say the only mitigating factor is firewalling or disabling the printer service. However, given the extra requirements, it seems harder to exploit than the bulletin would let on. This would normally be considered a wormable vulnerability; however, the default Windows drivers do provide access to the vulnerable functionality, so it would require 3rd party software, such as manufacturers’ drivers, to open the attack vector for this vulnerability. Even though it is not wormable, it is still a critical vulnerability, so if you’re managing Windows 7 or Server 2008 R2 systems (including server core), make sure to get this patch rolled out as soon as possible.

Next, MS13-002 patches some holes in MSXML 3.0, 4.0, 5.0, and 6.0. MSXML is a core processing utility that can be used to process XML data and is included with all versions of Windows, in addition to being bundled with other software, such as Microsoft Office 2003 & 2007, SharePoint Server 2007, Groove Server 2007, and Expression Web. The two vulnerabilities patched in this bulletin can be used by attackers to execute code when certain XML data is processed by an application utilizing MSXML services. Because this affects so many different pieces of software, including all supported versions of Windows, this is another patch that is incredibly important to get deployed as soon as possible.

A good Patch Tuesday isn’t complete without a little .NET action, so Microsoft has provided just that with MS13-004. This bulletin patches vulnerabilities affecting every supported version of .NET, with the exception of .NET 3.5 SP1. Three of the four vulnerabilities addressed in this bulletin allow attackers to raise their privileges to being able to execute code on the vulnerable system just as if the attacker were a legitimate user on that machine.

Other bulletins of note include MS13-005, which addresses an issue with how the Windows kernel handles window broadcast messages. While this does not grant direct code execution, it may be useful as the first step of a multi-stage attack that attackers would use to increase their privileges to kernel level. The other bulletin of note, MS13-006, addresses a security feature bypass affecting SSL/TLS in Windows. This could be used by attackers to perform man-in-the-middle attacks and lower the SSL version to a level that supports cyphers that could be cracked.

Lastly for this month’s patches, MS13-003 addresses a couple of cross-site scripting vulnerabilities within the System Center Operations Manager, and MS13-007 addresses a vulnerability in the Windows implementation of the Open Data Protocol, which could be used to cause a denial of service condition to IIS by resource exhaustion.

This month marks the inclusion of six new vulnerabilities in Windows RT, addressed in MS13-002, MS13-004, MS13-005, and MS13-006. This is the third month since Windows RT started receiving updates and it has received security updates for each month during that time. This month’s Patch Tuesday comes just two days after a security researcher revealed how to run unsigned code on Windows RT.

If you’ve been following the security news recently, you’ll no doubt have heard of the recently disclosed Internet Explorer zero day, CVE-2012-4792, that made its rounds this last month. Well, you’ll also note that this month does not include a fix for that vulnerability. While a Fix it does exist, no full patch has been released by Microsoft. Additionally, some researchers have claimed to bypass the Fix it. Because no patch currently exists, attackers will be having a heyday, since publicly available exploits exist to target this vulnerability. It only affects Internet Explorer versions 6 through 8, so if you are able to do so, upgrade to Internet Explorer 9 or 10 or use an alternate browser such as Chrome.

So be sure to get those first two patches, MS13-001 and MS13-002, rolled out as soon as you can, as they are the most critical among this month’s collection. We hope you have a great start to your new year.


VEF ATTENDEES: If you joined our January VEF and have an answer to our giveaway question, then you’re in the right spot! Post your answer in the comments below! Most compelling answer wins a Kindle Fire!

Leave a Reply

4 Responses to “January 2013 Patch Tuesday: Patches, but none for the IE 0day!”

  1. victor

    check that vulnerabilities are affected and whether they can be carried off, firewall protection and changes in the browser

    January 09, 2013 1:31:30, Reply
  2. mona

    if we have to wait.. I poweroff my computer and go playing with the kid or working in the garden :)
    No electricity – no internet – no risk

    January 11, 2013 10:48:08, Reply
  3. daniel

    I’m using different computer, 1 dedicated to the Internet, 1 isolated from the 1st one used for the corporate data use, with temporary access to internet for secured and validated website only. both are regularly updated and scanned. In case of zero day bug, we are disconnecting the sensitive computer and blocking all the apps which could be affected until the solution is found.

    January 11, 2013 12:08:49, Reply
  4. February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients | BeyondTrust

    [...] Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month. [...]

    February 12, 2013 2:04:20, Reply

Additional articles


Why big data breaches won’t always be so easy

Posted September 19, 2014    Byron Acohido

This blog post is republished with the permission of ThirdCertainty. See the original post here. – By: Byron Acohido, Editor-In-Chief, ThirdCertainty Some day, perhaps fairly soon, it will be much more difficult for data thieves to pull off capers like the headline-grabbing hacks of Home Depot and Target. That’s not a pipe dream. It’s the projected outcome…

, , , , ,

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

, , , , , ,

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

, , ,