Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

July 2013 Patch Tuesday

Post by BeyondTrust Research Team July 9, 2013

July’s patch Tuesday fixes vulnerabilities in .NET, Windows, and Internet Explorer. There are a total of seven bulletins addressing 34 unique vulnerabilities; six bulletins are rated critical and one is rated important.

MS13-052 addresses a TrueType font parsing vulnerability in .NET (CVE-2013-3129, also addressed in MS13-053 and MS13-054), as well as six other vulnerabilities. This is similar to the vulnerability used by Stuxnet/Duqu, except those vulnerabilities lay in the kernel, whereas this one is in .NET, which is in userland. This .NET vulnerability can be exploited by causing the .NET framework to parse a maliciously crafted TrueType font, granting the attacker the ability to execute arbitrary code in the context of the current user. In addition to this vulnerability, there are others in this bulletin that grant remote code execution as well as elevation of privilege capabilities (such as bypassing code access security restrictions).

Internet Explorer gets some love with MS13-055. 17 vulnerabilities are addressed in this bulletin, composed of 16 memory corruption vulnerabilities and a cross-site scripting vulnerability. This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities. These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.

The rest of the bulletins address vulnerabilities in the Windows operating system, specifically providing patches for kernel mode drivers, GDI+, DirectShow, Windows Media Format Runtime, and Windows Defender.

MS13-053 addresses eight vulnerabilities within Windows kernel mode drivers, cumulatively affecting every supported version of Windows. Of these vulnerabilities, two CVEs were publicly disclosed: CVE-2013-3172 and CVE-2013-3660. While no exploits have been seen in the wild for CVE-2013-3172, targeted attacks have been observed that exploit CVE-2013-3660 to gain elevated privileges on vulnerable systems. Tavis Ormandy originally released an exploit for this vulnerability on the Full Disclosure mailing list. Since then, this exploit has been incorporated into public exploit frameworks. Among all the vulnerabilities addressed in this bulletin, attackers at large will be focused on exploiting CVE-2013-3660, since easily accessible exploit code already exists, so it is critical that this patch is rolled out as soon as possible.

MS13-054 addresses the same TrueType vulnerability seen in MS13-052 and MS13-053. Because this vulnerability occurs within GDI+, it affects multiple products, including every supported version of Windows, Office 2003/2007/2010, Visual Studio .NET 2003, and Lync 2010/2013. We have seen TrueType font parsing vulnerabilities used as exploitation vectors with great success in targeted attacks, such as Stuxnet and Duqu. Because of the wide range of affected products (including every supported versions Windows) that use GDI+, this will be a target for attackers in the near future.

Lastly, there are a couple bulletins that address media-related vulnerabilities, as well as a bulletin that fixes an issue with Windows defender. MS13-056 fixes an issue with DirectShow, which affects most supported versions of Windows (excluding Server Core installations, 2008/2008 R2 Itanium, and RT). MS13-057 addresses a vulnerability in the Microsoft WMV Video Decoder, affecting most supported versions of Windows (excluding Server Core installations and Itanium systems). Both of these bulletins address issues that could lead to remote code execution. Lastly, MS13-058 fixes an elevation of privilege vulnerability in Windows Defender for Windows 7 and Server 2008 R2 systems.

Be sure to patch Internet Explorer (MS13-055) as soon as possible, along with the Windows kernel mode drivers (MS13-053), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, July 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

Is virtual security a high priority in your IT department? Why or why not? Who is responsible for managing virtual asset security? Is it security or operations?

Answer the questions in the comments below, by Friday, July 12 5pm PT. We’ll notify a winner next week!

For those interested in following up on the articles discussed in the VEF, you can find them here:

Motorola is Listening
Android flaw allows hackers to surreptitiously modify apps

IT Admin News:
IPMI/BMC Vulnerabilities
Yahoo to Allow Account Takeovers

Researcher News:
Microsoft Announces Bounty Program
Attacking Crypto Phones: Weaknesses in ZRTPCPP

, ,

Leave a Reply

6 Responses to “July 2013 Patch Tuesday”

  1. Jeffrey

    Answer to Webinar question for Kindle Fire:
    We do take virtual security seriously, we consider it to be an operational requirement, and I (the NOC Specialist/Engineer) am responsible for managing it.

    July 10, 2013 1:22:11, Reply
  2. Greg

    Virtual security is a medium priority. Virtualization is well-used, and so we want to achieve at least parity with the security we have with physical assets.

    InfoSec is responsible for setting the security posture, but each unit is responsible for meeting that posture. In addition, we expect each unit to recommend back security improvements that can be added to the posture.

    July 10, 2013 1:30:35, Reply
    • Sarah Lieber

      Thanks, Greg! Hope you enjoyed the VEF this month!

      July 10, 2013 1:34:30, Reply
  3. Michael

    Virtual security is important, however it is a tough sell to C level management if the security feature/addition cost money on top of what a physical machine needs. The risk associated with virtual, is at time, hard to layout in virtual vs. physical terms to get funding.

    July 10, 2013 1:43:11, Reply
  4. greg

    Virtual security is tricky because of the visibility factor. It’s operations’ job to make sure there is the correct infrastructure to handle the software that gets patched.

    July 10, 2013 1:48:14, Reply

Additional articles


Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
, , , , , , , ,

Mitigating Inside Threats to U.S. Federal IT Environments

Recent high-profile cases have increased the perceived risks that go along with disclosure and usage of confidential information. One of the most difficult security threats to mitigate is an attack from the inside. When an over-privileged user, such as an unhappy current or former employee, contractor, or consultant, begins navigating your network, how will you…

Post by BeyondTrust Software April 17, 2014
, , , , ,

Are you a Target? Investigating Security Breaches with Kevin Johnson

Last week, over 1,000 IT security professionals watched as Kevin Johnson, CEO of Secure Ideas, presented his expert opinion on lessons learned from recent, high-profile retail breaches. Here’s a summary of key takeaways from the webcast plus an on-demand recording of the full, 60-minute presentation. Understanding the “why” behind attacks According to Kevin, the primary…

Post by Chris Burd April 17, 2014
, , , , ,