Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

January 2013 Patch Tuesday: Patches, but none for the IE 0day!

Posted January 8, 2013    BeyondTrust Research Team

Happy New Year! Starting off 2013, we’ve got a critical vulnerability within the Windows Print Spooler, and we’re still seeing bugs surface in widely used software like MSXML, the .NET framework, and SSL/TLS. January’s Patch Tuesday greets us with seven patches, addressing 12 vulnerabilities across a spectrum of Microsoft software. Two of these bulletins are rated critical, while the rest are rated important.

The first of the critical bulletins, MS13-001, addresses a critical remote code execution vulnerability in the Windows Print Spooler, which manages printing tasks that are sent to the system. According to preliminary details it appears an attacker would need to queue a specially crafted print job to a shared printer, once that print job was queued then an attacker would potentially be able to compromise systems that enumerate the shared printer queue. The catch, according to Microsoft, is that by default Windows itself does not enumerate shared printer queues in a vulnerable way but third-party printer management software does in some cases. In Microsoft’s bulletin, they say the only mitigating factor is firewalling or disabling the printer service. However, given the extra requirements, it seems harder to exploit than the bulletin would let on. This would normally be considered a wormable vulnerability; however, the default Windows drivers do provide access to the vulnerable functionality, so it would require 3rd party software, such as manufacturers’ drivers, to open the attack vector for this vulnerability. Even though it is not wormable, it is still a critical vulnerability, so if you’re managing Windows 7 or Server 2008 R2 systems (including server core), make sure to get this patch rolled out as soon as possible.

Next, MS13-002 patches some holes in MSXML 3.0, 4.0, 5.0, and 6.0. MSXML is a core processing utility that can be used to process XML data and is included with all versions of Windows, in addition to being bundled with other software, such as Microsoft Office 2003 & 2007, SharePoint Server 2007, Groove Server 2007, and Expression Web. The two vulnerabilities patched in this bulletin can be used by attackers to execute code when certain XML data is processed by an application utilizing MSXML services. Because this affects so many different pieces of software, including all supported versions of Windows, this is another patch that is incredibly important to get deployed as soon as possible.

A good Patch Tuesday isn’t complete without a little .NET action, so Microsoft has provided just that with MS13-004. This bulletin patches vulnerabilities affecting every supported version of .NET, with the exception of .NET 3.5 SP1. Three of the four vulnerabilities addressed in this bulletin allow attackers to raise their privileges to being able to execute code on the vulnerable system just as if the attacker were a legitimate user on that machine.

Other bulletins of note include MS13-005, which addresses an issue with how the Windows kernel handles window broadcast messages. While this does not grant direct code execution, it may be useful as the first step of a multi-stage attack that attackers would use to increase their privileges to kernel level. The other bulletin of note, MS13-006, addresses a security feature bypass affecting SSL/TLS in Windows. This could be used by attackers to perform man-in-the-middle attacks and lower the SSL version to a level that supports cyphers that could be cracked.

Lastly for this month’s patches, MS13-003 addresses a couple of cross-site scripting vulnerabilities within the System Center Operations Manager, and MS13-007 addresses a vulnerability in the Windows implementation of the Open Data Protocol, which could be used to cause a denial of service condition to IIS by resource exhaustion.

This month marks the inclusion of six new vulnerabilities in Windows RT, addressed in MS13-002, MS13-004, MS13-005, and MS13-006. This is the third month since Windows RT started receiving updates and it has received security updates for each month during that time. This month’s Patch Tuesday comes just two days after a security researcher revealed how to run unsigned code on Windows RT.

If you’ve been following the security news recently, you’ll no doubt have heard of the recently disclosed Internet Explorer zero day, CVE-2012-4792, that made its rounds this last month. Well, you’ll also note that this month does not include a fix for that vulnerability. While a Fix it does exist, no full patch has been released by Microsoft. Additionally, some researchers have claimed to bypass the Fix it. Because no patch currently exists, attackers will be having a heyday, since publicly available exploits exist to target this vulnerability. It only affects Internet Explorer versions 6 through 8, so if you are able to do so, upgrade to Internet Explorer 9 or 10 or use an alternate browser such as Chrome.

So be sure to get those first two patches, MS13-001 and MS13-002, rolled out as soon as you can, as they are the most critical among this month’s collection. We hope you have a great start to your new year.


VEF ATTENDEES: If you joined our January VEF and have an answer to our giveaway question, then you’re in the right spot! Post your answer in the comments below! Most compelling answer wins a Kindle Fire!

Leave a Reply

4 Responses to “January 2013 Patch Tuesday: Patches, but none for the IE 0day!”

  1. victor

    check that vulnerabilities are affected and whether they can be carried off, firewall protection and changes in the browser

    January 09, 2013 1:31:30, Reply
  2. mona

    if we have to wait.. I poweroff my computer and go playing with the kid or working in the garden :)
    No electricity – no internet – no risk

    January 11, 2013 10:48:08, Reply
  3. daniel

    I’m using different computer, 1 dedicated to the Internet, 1 isolated from the 1st one used for the corporate data use, with temporary access to internet for secured and validated website only. both are regularly updated and scanned. In case of zero day bug, we are disconnecting the sensitive computer and blocking all the apps which could be affected until the solution is found.

    January 11, 2013 12:08:49, Reply
  4. February 2013 Patch Tuesday: Hide Your Servers, Hide Your Clients | BeyondTrust

    […] Since its release, Windows RT has yet to miss an appearance on Patch Tuesday. This month is no different, with patches being released to address vulnerabilities in Windows RT. This includes fixes that affect software that can run on Windows RT (Internet Explorer in MS13-009 and MS13-010) and fixes to core parts of Windows itself (a truckload of vulnerabilities (30+) in the kernel in MS13-016 and MS13-017, and TCP/IP in MS13-018). Keep an eye out for more of these kernel vulnerabilities, as privilege elevation vulnerabilities will be sure to have a future in helping jail break Windows RT again, as seen last month. […]

    February 12, 2013 2:04:20, Reply

Additional articles


On Demand Webinar – Why You Still Suck at Patching

Posted March 27, 2015    Lindsay Marsh

On Demand Webinar: Dave Shackleford recounts some of his personal experiences in patch management failure, and breaks down the most critical issues holding many teams back from patching more effectively.


Why You Still Suck at Patching…and How to Turn Your Life Around

Posted March 25, 2015    Dave Shackleford

Live webinar | March 26, 2015 | 10am PT/1pm ET | Dave Shackleford, SANS Instructor | Why You Still Suck at Patching…and How to Turn Your Life Around

, ,

Privilege Gone Wild 2: Over 25% of Organizations Have No Privileged Access Controls

Posted March 24, 2015    Scott Lang

BeyondTrust recently conducted a survey, with over 700 respondents, to explore how organizations view the risk of misuse from privileged account misuse, as well as trends in addressing and mitigating those risks.