Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2013 Patch Tuesday

Posted July 9, 2013    BeyondTrust Research Team

July’s patch Tuesday fixes vulnerabilities in .NET, Windows, and Internet Explorer. There are a total of seven bulletins addressing 34 unique vulnerabilities; six bulletins are rated critical and one is rated important.

MS13-052 addresses a TrueType font parsing vulnerability in .NET (CVE-2013-3129, also addressed in MS13-053 and MS13-054), as well as six other vulnerabilities. This is similar to the vulnerability used by Stuxnet/Duqu, except those vulnerabilities lay in the kernel, whereas this one is in .NET, which is in userland. This .NET vulnerability can be exploited by causing the .NET framework to parse a maliciously crafted TrueType font, granting the attacker the ability to execute arbitrary code in the context of the current user. In addition to this vulnerability, there are others in this bulletin that grant remote code execution as well as elevation of privilege capabilities (such as bypassing code access security restrictions).

Internet Explorer gets some love with MS13-055. 17 vulnerabilities are addressed in this bulletin, composed of 16 memory corruption vulnerabilities and a cross-site scripting vulnerability. This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities. These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.

The rest of the bulletins address vulnerabilities in the Windows operating system, specifically providing patches for kernel mode drivers, GDI+, DirectShow, Windows Media Format Runtime, and Windows Defender.

MS13-053 addresses eight vulnerabilities within Windows kernel mode drivers, cumulatively affecting every supported version of Windows. Of these vulnerabilities, two CVEs were publicly disclosed: CVE-2013-3172 and CVE-2013-3660. While no exploits have been seen in the wild for CVE-2013-3172, targeted attacks have been observed that exploit CVE-2013-3660 to gain elevated privileges on vulnerable systems. Tavis Ormandy originally released an exploit for this vulnerability on the Full Disclosure mailing list. Since then, this exploit has been incorporated into public exploit frameworks. Among all the vulnerabilities addressed in this bulletin, attackers at large will be focused on exploiting CVE-2013-3660, since easily accessible exploit code already exists, so it is critical that this patch is rolled out as soon as possible.

MS13-054 addresses the same TrueType vulnerability seen in MS13-052 and MS13-053. Because this vulnerability occurs within GDI+, it affects multiple products, including every supported version of Windows, Office 2003/2007/2010, Visual Studio .NET 2003, and Lync 2010/2013. We have seen TrueType font parsing vulnerabilities used as exploitation vectors with great success in targeted attacks, such as Stuxnet and Duqu. Because of the wide range of affected products (including every supported versions Windows) that use GDI+, this will be a target for attackers in the near future.

Lastly, there are a couple bulletins that address media-related vulnerabilities, as well as a bulletin that fixes an issue with Windows defender. MS13-056 fixes an issue with DirectShow, which affects most supported versions of Windows (excluding Server Core installations, 2008/2008 R2 Itanium, and RT). MS13-057 addresses a vulnerability in the Microsoft WMV Video Decoder, affecting most supported versions of Windows (excluding Server Core installations and Itanium systems). Both of these bulletins address issues that could lead to remote code execution. Lastly, MS13-058 fixes an elevation of privilege vulnerability in Windows Defender for Windows 7 and Server 2008 R2 systems.

Be sure to patch Internet Explorer (MS13-055) as soon as possible, along with the Windows kernel mode drivers (MS13-053), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, July 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

Is virtual security a high priority in your IT department? Why or why not? Who is responsible for managing virtual asset security? Is it security or operations?

Answer the questions in the comments below, by Friday, July 12 5pm PT. We’ll notify a winner next week!

For those interested in following up on the articles discussed in the VEF, you can find them here:

Motorola is Listening
Android flaw allows hackers to surreptitiously modify apps

IT Admin News:
IPMI/BMC Vulnerabilities
Yahoo to Allow Account Takeovers

Researcher News:
Microsoft Announces Bounty Program
Attacking Crypto Phones: Weaknesses in ZRTPCPP

, ,

Leave a Reply

6 Responses to “July 2013 Patch Tuesday”

  1. Jeffrey

    Answer to Webinar question for Kindle Fire:
    We do take virtual security seriously, we consider it to be an operational requirement, and I (the NOC Specialist/Engineer) am responsible for managing it.

    July 10, 2013 1:22:11, Reply
  2. Greg

    Virtual security is a medium priority. Virtualization is well-used, and so we want to achieve at least parity with the security we have with physical assets.

    InfoSec is responsible for setting the security posture, but each unit is responsible for meeting that posture. In addition, we expect each unit to recommend back security improvements that can be added to the posture.

    July 10, 2013 1:30:35, Reply
    • Sarah Lieber

      Thanks, Greg! Hope you enjoyed the VEF this month!

      July 10, 2013 1:34:30, Reply
  3. Michael

    Virtual security is important, however it is a tough sell to C level management if the security feature/addition cost money on top of what a physical machine needs. The risk associated with virtual, is at time, hard to layout in virtual vs. physical terms to get funding.

    July 10, 2013 1:43:11, Reply
  4. greg

    Virtual security is tricky because of the visibility factor. It’s operations’ job to make sure there is the correct infrastructure to handle the software that gets patched.

    July 10, 2013 1:48:14, Reply

Additional articles


Passwords: A Hacker’s Best Friend

Posted September 1, 2015    Larry Brock

After all the years of talk about biometrics and multi-factor authentication, we still have passwords and will likely have them for a long time. Because many “high risk” systems require complex passwords (zk7&@1c6), most people that use them believe their passwords are secure. But they aren’t.

, ,

6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.


Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

, ,