BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2013 Patch Tuesday

Posted July 9, 2013    BeyondTrust Research Team

July’s patch Tuesday fixes vulnerabilities in .NET, Windows, and Internet Explorer. There are a total of seven bulletins addressing 34 unique vulnerabilities; six bulletins are rated critical and one is rated important.

MS13-052 addresses a TrueType font parsing vulnerability in .NET (CVE-2013-3129, also addressed in MS13-053 and MS13-054), as well as six other vulnerabilities. This is similar to the vulnerability used by Stuxnet/Duqu, except those vulnerabilities lay in the kernel, whereas this one is in .NET, which is in userland. This .NET vulnerability can be exploited by causing the .NET framework to parse a maliciously crafted TrueType font, granting the attacker the ability to execute arbitrary code in the context of the current user. In addition to this vulnerability, there are others in this bulletin that grant remote code execution as well as elevation of privilege capabilities (such as bypassing code access security restrictions).

Internet Explorer gets some love with MS13-055. 17 vulnerabilities are addressed in this bulletin, composed of 16 memory corruption vulnerabilities and a cross-site scripting vulnerability. This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities. These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.

The rest of the bulletins address vulnerabilities in the Windows operating system, specifically providing patches for kernel mode drivers, GDI+, DirectShow, Windows Media Format Runtime, and Windows Defender.

MS13-053 addresses eight vulnerabilities within Windows kernel mode drivers, cumulatively affecting every supported version of Windows. Of these vulnerabilities, two CVEs were publicly disclosed: CVE-2013-3172 and CVE-2013-3660. While no exploits have been seen in the wild for CVE-2013-3172, targeted attacks have been observed that exploit CVE-2013-3660 to gain elevated privileges on vulnerable systems. Tavis Ormandy originally released an exploit for this vulnerability on the Full Disclosure mailing list. Since then, this exploit has been incorporated into public exploit frameworks. Among all the vulnerabilities addressed in this bulletin, attackers at large will be focused on exploiting CVE-2013-3660, since easily accessible exploit code already exists, so it is critical that this patch is rolled out as soon as possible.

MS13-054 addresses the same TrueType vulnerability seen in MS13-052 and MS13-053. Because this vulnerability occurs within GDI+, it affects multiple products, including every supported version of Windows, Office 2003/2007/2010, Visual Studio .NET 2003, and Lync 2010/2013. We have seen TrueType font parsing vulnerabilities used as exploitation vectors with great success in targeted attacks, such as Stuxnet and Duqu. Because of the wide range of affected products (including every supported versions Windows) that use GDI+, this will be a target for attackers in the near future.

Lastly, there are a couple bulletins that address media-related vulnerabilities, as well as a bulletin that fixes an issue with Windows defender. MS13-056 fixes an issue with DirectShow, which affects most supported versions of Windows (excluding Server Core installations, 2008/2008 R2 Itanium, and RT). MS13-057 addresses a vulnerability in the Microsoft WMV Video Decoder, affecting most supported versions of Windows (excluding Server Core installations and Itanium systems). Both of these bulletins address issues that could lead to remote code execution. Lastly, MS13-058 fixes an elevation of privilege vulnerability in Windows Defender for Windows 7 and Server 2008 R2 systems.

Be sure to patch Internet Explorer (MS13-055) as soon as possible, along with the Windows kernel mode drivers (MS13-053), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, July 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

Is virtual security a high priority in your IT department? Why or why not? Who is responsible for managing virtual asset security? Is it security or operations?

Answer the questions in the comments below, by Friday, July 12 5pm PT. We’ll notify a winner next week!

For those interested in following up on the articles discussed in the VEF, you can find them here:

CTO/CSO/CxO News:
Motorola is Listening
Android flaw allows hackers to surreptitiously modify apps

IT Admin News:
IPMI/BMC Vulnerabilities
Yahoo to Allow Account Takeovers

Researcher News:
Microsoft Announces Bounty Program
Attacking Crypto Phones: Weaknesses in ZRTPCPP

Tags:
, ,

Leave a Reply

6 Responses to “July 2013 Patch Tuesday”

  1. Jeffrey

    Answer to Webinar question for Kindle Fire:
    We do take virtual security seriously, we consider it to be an operational requirement, and I (the NOC Specialist/Engineer) am responsible for managing it.

    July 10, 2013 1:22:11, Reply
  2. Greg

    Virtual security is a medium priority. Virtualization is well-used, and so we want to achieve at least parity with the security we have with physical assets.

    InfoSec is responsible for setting the security posture, but each unit is responsible for meeting that posture. In addition, we expect each unit to recommend back security improvements that can be added to the posture.

    July 10, 2013 1:30:35, Reply
    • Sarah Lieber

      Thanks, Greg! Hope you enjoyed the VEF this month!

      July 10, 2013 1:34:30, Reply
  3. Michael

    Virtual security is important, however it is a tough sell to C level management if the security feature/addition cost money on top of what a physical machine needs. The risk associated with virtual, is at time, hard to layout in virtual vs. physical terms to get funding.

    July 10, 2013 1:43:11, Reply
  4. greg

    Virtual security is tricky because of the visibility factor. It’s operations’ job to make sure there is the correct infrastructure to handle the software that gets patched.

    July 10, 2013 1:48:14, Reply

Additional articles

ovum-research

New Analyst SWOT Assessment Identifies Key Strengths of PowerBroker

Posted November 24, 2014    Scott Lang

Following on the heels of the Gartner PAM market guide and Frost & Sullivan review of Password Safe comes a new analyst review of our BeyondInsight and PowerBroker platforms, a SWOT assessment of BeyondTrust written by Ovum. Ovum’s honest and thorough review of BeyondTrust indicates that we are delivering, “…an integrated, one-stop approach to PAM….

Tags:
, , ,

Patented Windows privilege management brings you unmatched benefits

Posted November 24, 2014    Scott Lang

We are pleased to announce that BeyondTrust has been granted a new U.S. Patent (No. 8,850,549) for privilege management, validating our approach to helping our customers achieve least privilege in Windows environments. The methods and systems that we employ for controlling access to resources and privileges per process are unique to BeyondTrust PowerBroker for Windows….

Tags:
6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,