Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

January 2013 Patch Tuesday: Patches, but none for the IE 0day!

Posted January 8, 2013    BeyondTrust Research Team

Happy New Year! Starting off 2013, we’ve got a critical vulnerability within the Windows Print Spooler, and we’re still seeing bugs surface in widely used software like MSXML, the .NET framework, and SSL/TLS. January’s Patch Tuesday greets us with seven patches, addressing 12 vulnerabilities across a spectrum of Microsoft software. Two of these bulletins are rated critical, while the rest are rated important.

The first of the critical bulletins, MS13-001, addresses a critical remote code execution vulnerability in the Windows Print Spooler, which manages printing tasks that are sent to the system. According to preliminary details it appears an attacker would need to queue a specially crafted print job to a shared printer, once that print job was queued then an attacker would potentially be able to compromise systems that enumerate the shared printer queue. The catch, according to Microsoft, is that by default Windows itself does not enumerate shared printer queues in a vulnerable way but third-party printer management software does in some cases. In Microsoft’s bulletin, they say the only mitigating factor is firewalling or disabling the printer service. However, given the extra requirements, it seems harder to exploit than the bulletin would let on. This would normally be considered a wormable vulnerability; however, the default Windows drivers do provide access to the vulnerable functionality, so it would require 3rd party software, such as manufacturers’ drivers, to open the attack vector for this vulnerability. Even though it is not wormable, it is still a critical vulnerability, so if you’re managing Windows 7 or Server 2008 R2 systems (including server core), make sure to get this patch rolled out as soon as possible.

Next, MS13-002 patches some holes in MSXML 3.0, 4.0, 5.0, and 6.0. MSXML is a core processing utility that can be used to process XML data and is included with all versions of Windows, in addition to being bundled with other software, such as Microsoft Office 2003 & 2007, SharePoint Server 2007, Groove Server 2007, and Expression Web. The two vulnerabilities patched in this bulletin can be used by attackers to execute code when certain XML data is processed by an application utilizing MSXML services. Because this affects so many different pieces of software, including all supported versions of Windows, this is another patch that is incredibly important to get deployed as soon as possible.

A good Patch Tuesday isn’t complete without a little .NET action, so Microsoft has provided just that with MS13-004. This bulletin patches vulnerabilities affecting every supported version of .NET, with the exception of .NET 3.5 SP1. Three of the four vulnerabilities addressed in this bulletin allow attackers to raise their privileges to being able to execute code on the vulnerable system just as if the attacker were a legitimate user on that machine.

Other bulletins of note include MS13-005, which addresses an issue with how the Windows kernel handles window broadcast messages. While this does not grant direct code execution, it may be useful as the first step of a multi-stage attack that attackers would use to increase their privileges to kernel level. The other bulletin of note, MS13-006, addresses a security feature bypass affecting SSL/TLS in Windows. This could be used by attackers to perform man-in-the-middle attacks and lower the SSL version to a level that supports cyphers that could be cracked.

Lastly for this month’s patches, MS13-003 addresses a couple of cross-site scripting vulnerabilities within the System Center Operations Manager, and MS13-007 addresses a vulnerability in the Windows implementation of the Open Data Protocol, which could be used to cause a denial of service condition to IIS by resource exhaustion.

This month marks the inclusion of six new vulnerabilities in Windows RT, addressed in MS13-002, MS13-004, MS13-005, and MS13-006. This is the third month since Windows RT started receiving updates and it has received security updates for each month during that time. This month’s Patch Tuesday comes just two days after a security researcher revealed how to run unsigned code on Windows RT.

If you’ve been following the security news recently, you’ll no doubt have heard of the recently disclosed Internet Explorer zero day, CVE-2012-4792, that made its rounds this last month. Well, you’ll also note that this month does not include a fix for that vulnerability. While a Fix it does exist, no full patch has been released by Microsoft. Additionally, some researchers have claimed to bypass the Fix it. Because no patch currently exists, attackers will be having a heyday, since publicly available exploits exist to target this vulnerability. It only affects Internet Explorer versions 6 through 8, so if you are able to do so, upgrade to Internet Explorer 9 or 10 or use an alternate browser such as Chrome.

So be sure to get those first two patches, MS13-001 and MS13-002, rolled out as soon as you can, as they are the most critical among this month’s collection. We hope you have a great start to your new year.


VEF ATTENDEES: If you joined our January VEF and have an answer to our giveaway question, then you’re in the right spot! Post your answer in the comments below! Most compelling answer wins a Kindle Fire!

Leave a Reply

4 Responses to “January 2013 Patch Tuesday: Patches, but none for the IE 0day!”

  1. victor

    check that vulnerabilities are affected and whether they can be carried off, firewall protection and changes in the browser

    January 09, 2013 1:31:30, Reply
  2. mona

    if we have to wait.. I poweroff my computer and go playing with the kid or working in the garden :)
    No electricity – no internet – no risk

    January 11, 2013 10:48:08, Reply
  3. daniel

    I’m using different computer, 1 dedicated to the Internet, 1 isolated from the 1st one used for the corporate data use, with temporary access to internet for secured and validated website only. both are regularly updated and scanned. In case of zero day bug, we are disconnecting the sensitive computer and blocking all the apps which could be affected until the solution is found.

    January 11, 2013 12:08:49, Reply
  4. February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients | BeyondTrust

    […] Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month. […]

    February 12, 2013 2:04:20, Reply

Additional articles


October 2015 Patch Tuesday

Posted October 13, 2015    BeyondTrust Research Team

This month’s Patch Tuesday is on the lighter side, offering up six bulletins and 33 vulnerabilities in total. The critical bulletins to watch out for involve IE, JScript/VBScript, and Windows Shell.


Retina CS Vulnerability Management Solution Gets Primetime Award for Innovation

Posted October 12, 2015    Sandi Green

Analyst firm Frost & Sullivan presented BeyondTrust with the 2015 award for ‘Best Practices in Enabling Technology Leadership in the Vulnerability Management Industry.

, ,

Answering the age-old question, ‘What’s plugged into my network?’

Posted October 9, 2015    Alejandro DaCosta

“What’s plugged into my network?” is a question I hear frequently from security administrators. And, really, it’s no surprise why. No longer do we have to account just for the physical servers in our datacenters, workstations and a few network devices. Now we need to keep track of roaming laptops, dynamic virtual systems, off-site cloud deployments and BYOD.