BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2013 Patch Tuesday

Posted July 9, 2013    BeyondTrust Research Team

July’s patch Tuesday fixes vulnerabilities in .NET, Windows, and Internet Explorer. There are a total of seven bulletins addressing 34 unique vulnerabilities; six bulletins are rated critical and one is rated important.

MS13-052 addresses a TrueType font parsing vulnerability in .NET (CVE-2013-3129, also addressed in MS13-053 and MS13-054), as well as six other vulnerabilities. This is similar to the vulnerability used by Stuxnet/Duqu, except those vulnerabilities lay in the kernel, whereas this one is in .NET, which is in userland. This .NET vulnerability can be exploited by causing the .NET framework to parse a maliciously crafted TrueType font, granting the attacker the ability to execute arbitrary code in the context of the current user. In addition to this vulnerability, there are others in this bulletin that grant remote code execution as well as elevation of privilege capabilities (such as bypassing code access security restrictions).

Internet Explorer gets some love with MS13-055. 17 vulnerabilities are addressed in this bulletin, composed of 16 memory corruption vulnerabilities and a cross-site scripting vulnerability. This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities. These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.

The rest of the bulletins address vulnerabilities in the Windows operating system, specifically providing patches for kernel mode drivers, GDI+, DirectShow, Windows Media Format Runtime, and Windows Defender.

MS13-053 addresses eight vulnerabilities within Windows kernel mode drivers, cumulatively affecting every supported version of Windows. Of these vulnerabilities, two CVEs were publicly disclosed: CVE-2013-3172 and CVE-2013-3660. While no exploits have been seen in the wild for CVE-2013-3172, targeted attacks have been observed that exploit CVE-2013-3660 to gain elevated privileges on vulnerable systems. Tavis Ormandy originally released an exploit for this vulnerability on the Full Disclosure mailing list. Since then, this exploit has been incorporated into public exploit frameworks. Among all the vulnerabilities addressed in this bulletin, attackers at large will be focused on exploiting CVE-2013-3660, since easily accessible exploit code already exists, so it is critical that this patch is rolled out as soon as possible.

MS13-054 addresses the same TrueType vulnerability seen in MS13-052 and MS13-053. Because this vulnerability occurs within GDI+, it affects multiple products, including every supported version of Windows, Office 2003/2007/2010, Visual Studio .NET 2003, and Lync 2010/2013. We have seen TrueType font parsing vulnerabilities used as exploitation vectors with great success in targeted attacks, such as Stuxnet and Duqu. Because of the wide range of affected products (including every supported versions Windows) that use GDI+, this will be a target for attackers in the near future.

Lastly, there are a couple bulletins that address media-related vulnerabilities, as well as a bulletin that fixes an issue with Windows defender. MS13-056 fixes an issue with DirectShow, which affects most supported versions of Windows (excluding Server Core installations, 2008/2008 R2 Itanium, and RT). MS13-057 addresses a vulnerability in the Microsoft WMV Video Decoder, affecting most supported versions of Windows (excluding Server Core installations and Itanium systems). Both of these bulletins address issues that could lead to remote code execution. Lastly, MS13-058 fixes an elevation of privilege vulnerability in Windows Defender for Windows 7 and Server 2008 R2 systems.

Be sure to patch Internet Explorer (MS13-055) as soon as possible, along with the Windows kernel mode drivers (MS13-053), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, July 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

Is virtual security a high priority in your IT department? Why or why not? Who is responsible for managing virtual asset security? Is it security or operations?

Answer the questions in the comments below, by Friday, July 12 5pm PT. We’ll notify a winner next week!

For those interested in following up on the articles discussed in the VEF, you can find them here:

CTO/CSO/CxO News:
Motorola is Listening
Android flaw allows hackers to surreptitiously modify apps

IT Admin News:
IPMI/BMC Vulnerabilities
Yahoo to Allow Account Takeovers

Researcher News:
Microsoft Announces Bounty Program
Attacking Crypto Phones: Weaknesses in ZRTPCPP

Tags:
, ,

Leave a Reply

6 Responses to “July 2013 Patch Tuesday”

  1. Jeffrey

    Answer to Webinar question for Kindle Fire:
    We do take virtual security seriously, we consider it to be an operational requirement, and I (the NOC Specialist/Engineer) am responsible for managing it.

    July 10, 2013 1:22:11, Reply
  2. Greg

    Virtual security is a medium priority. Virtualization is well-used, and so we want to achieve at least parity with the security we have with physical assets.

    InfoSec is responsible for setting the security posture, but each unit is responsible for meeting that posture. In addition, we expect each unit to recommend back security improvements that can be added to the posture.

    July 10, 2013 1:30:35, Reply
    • Sarah Lieber

      Thanks, Greg! Hope you enjoyed the VEF this month!

      July 10, 2013 1:34:30, Reply
  3. Michael

    Virtual security is important, however it is a tough sell to C level management if the security feature/addition cost money on top of what a physical machine needs. The risk associated with virtual, is at time, hard to layout in virtual vs. physical terms to get funding.

    July 10, 2013 1:43:11, Reply
  4. greg

    Virtual security is tricky because of the visibility factor. It’s operations’ job to make sure there is the correct infrastructure to handle the software that gets patched.

    July 10, 2013 1:48:14, Reply

Additional articles

red-thumbprint

Why big data breaches won’t always be so easy

Posted September 19, 2014    Byron Acohido

This blog post is republished with the permission of ThirdCertainty. See the original post here. – By: Byron Acohido, Editor-In-Chief, ThirdCertainty Some day, perhaps fairly soon, it will be much more difficult for data thieves to pull off capers like the headline-grabbing hacks of Home Depot and Target. That’s not a pipe dream. It’s the projected outcome…

Tags:
, , , , ,
pbps-blog2

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

Tags:
, , , , , ,
pbps-customer-campaign-image

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

Tags:
, , ,