BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

July 2013 Patch Tuesday

Posted July 9, 2013    BeyondTrust Research Team

July’s patch Tuesday fixes vulnerabilities in .NET, Windows, and Internet Explorer. There are a total of seven bulletins addressing 34 unique vulnerabilities; six bulletins are rated critical and one is rated important.

MS13-052 addresses a TrueType font parsing vulnerability in .NET (CVE-2013-3129, also addressed in MS13-053 and MS13-054), as well as six other vulnerabilities. This is similar to the vulnerability used by Stuxnet/Duqu, except those vulnerabilities lay in the kernel, whereas this one is in .NET, which is in userland. This .NET vulnerability can be exploited by causing the .NET framework to parse a maliciously crafted TrueType font, granting the attacker the ability to execute arbitrary code in the context of the current user. In addition to this vulnerability, there are others in this bulletin that grant remote code execution as well as elevation of privilege capabilities (such as bypassing code access security restrictions).

Internet Explorer gets some love with MS13-055. 17 vulnerabilities are addressed in this bulletin, composed of 16 memory corruption vulnerabilities and a cross-site scripting vulnerability. This continues the trend we’ve seen in recent Patch Tuesdays with Internet Explorer receiving fixes for lots of memory corruption vulnerabilities. These vulnerabilities will be used in drive-by attacks where attackers set up malicious web pages and use social engineering tactics to draw users to the malicious pages. It is imperative that this patch gets rolled out as soon as possible.

The rest of the bulletins address vulnerabilities in the Windows operating system, specifically providing patches for kernel mode drivers, GDI+, DirectShow, Windows Media Format Runtime, and Windows Defender.

MS13-053 addresses eight vulnerabilities within Windows kernel mode drivers, cumulatively affecting every supported version of Windows. Of these vulnerabilities, two CVEs were publicly disclosed: CVE-2013-3172 and CVE-2013-3660. While no exploits have been seen in the wild for CVE-2013-3172, targeted attacks have been observed that exploit CVE-2013-3660 to gain elevated privileges on vulnerable systems. Tavis Ormandy originally released an exploit for this vulnerability on the Full Disclosure mailing list. Since then, this exploit has been incorporated into public exploit frameworks. Among all the vulnerabilities addressed in this bulletin, attackers at large will be focused on exploiting CVE-2013-3660, since easily accessible exploit code already exists, so it is critical that this patch is rolled out as soon as possible.

MS13-054 addresses the same TrueType vulnerability seen in MS13-052 and MS13-053. Because this vulnerability occurs within GDI+, it affects multiple products, including every supported version of Windows, Office 2003/2007/2010, Visual Studio .NET 2003, and Lync 2010/2013. We have seen TrueType font parsing vulnerabilities used as exploitation vectors with great success in targeted attacks, such as Stuxnet and Duqu. Because of the wide range of affected products (including every supported versions Windows) that use GDI+, this will be a target for attackers in the near future.

Lastly, there are a couple bulletins that address media-related vulnerabilities, as well as a bulletin that fixes an issue with Windows defender. MS13-056 fixes an issue with DirectShow, which affects most supported versions of Windows (excluding Server Core installations, 2008/2008 R2 Itanium, and RT). MS13-057 addresses a vulnerability in the Microsoft WMV Video Decoder, affecting most supported versions of Windows (excluding Server Core installations and Itanium systems). Both of these bulletins address issues that could lead to remote code execution. Lastly, MS13-058 fixes an elevation of privilege vulnerability in Windows Defender for Windows 7 and Server 2008 R2 systems.

Be sure to patch Internet Explorer (MS13-055) as soon as possible, along with the Windows kernel mode drivers (MS13-053), followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, July 10 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Attention VEF Attendees! Answer the question below and possibly win a Kindle Fire!

Is virtual security a high priority in your IT department? Why or why not? Who is responsible for managing virtual asset security? Is it security or operations?

Answer the questions in the comments below, by Friday, July 12 5pm PT. We’ll notify a winner next week!

For those interested in following up on the articles discussed in the VEF, you can find them here:

CTO/CSO/CxO News:
Motorola is Listening
Android flaw allows hackers to surreptitiously modify apps

IT Admin News:
IPMI/BMC Vulnerabilities
Yahoo to Allow Account Takeovers

Researcher News:
Microsoft Announces Bounty Program
Attacking Crypto Phones: Weaknesses in ZRTPCPP

Tags:
, ,

Leave a Reply

6 Responses to “July 2013 Patch Tuesday”

  1. Jeffrey

    Answer to Webinar question for Kindle Fire:
    We do take virtual security seriously, we consider it to be an operational requirement, and I (the NOC Specialist/Engineer) am responsible for managing it.

    July 10, 2013 1:22:11, Reply
  2. Greg

    Virtual security is a medium priority. Virtualization is well-used, and so we want to achieve at least parity with the security we have with physical assets.

    InfoSec is responsible for setting the security posture, but each unit is responsible for meeting that posture. In addition, we expect each unit to recommend back security improvements that can be added to the posture.

    July 10, 2013 1:30:35, Reply
    • Sarah Lieber

      Thanks, Greg! Hope you enjoyed the VEF this month!

      July 10, 2013 1:34:30, Reply
  3. Michael

    Virtual security is important, however it is a tough sell to C level management if the security feature/addition cost money on top of what a physical machine needs. The risk associated with virtual, is at time, hard to layout in virtual vs. physical terms to get funding.

    July 10, 2013 1:43:11, Reply
  4. greg

    Virtual security is tricky because of the visibility factor. It’s operations’ job to make sure there is the correct infrastructure to handle the software that gets patched.

    July 10, 2013 1:48:14, Reply

Additional articles

Dark Reading

2014: The Year of Privilege Vulnerabilities

Posted December 18, 2014    Chris Burd

Of the 30 critical-rated Microsoft Security Bulletins this year, 24 involved vulnerabilities where the age-old best practice of “least privilege” could limit the impact of malware and raise the bar of difficulty for attackers.

Tags:
, , , , ,
dave-shackleford-headshot

Looking back on information security in 2014

Posted December 16, 2014    Dave Shackleford

Dave Shackleford is a SANS Instructor and founder of Voodoo Security. Join Dave for a closer look at the year in security, and learn what you can do to prepare for 2015, with this upcoming webinar. 2014 has been one heck of an insane year for information security professionals. To start with, we’ve been forced…

Tags:
, ,
patch-tuesday

December 2014 Patch Tuesday

Posted December 9, 2014    BeyondTrust Research Team

This month marks the final Patch Tuesday of 2014. Most of what is being patched this month includes Internet Explorer, Exchange, Office, etc… and continues a trend of the greatest hits collection of commonly attacked Microsoft software. Probably the one thing that broke the mold this month is that for once there is not some…

Tags:
,