Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

March 2013 Patch Tuesday: Cleaning House

Posted March 12, 2013    BeyondTrust Research Team

Patch Tuesday is upon us and this month, Microsoft is doing a little spring cleaning of vulnerabilities, fixing a well-rounded collection of client-side vulnerabilities, along with a few server-side vulnerabilities for good measure. This month, the affected software includes Internet Explorer, Silverlight, Visio Viewer, SharePoint, OneNote, Outlook for Mac, and a Windows kernel-mode driver. In total, there are 20 vulnerabilities addressed by seven bulletins, four of which are rated critical.

Boldly leading the charge of bulletins is Internet Explorer in MS13-021, with a whopping nine vulnerabilities, all of which are use after free vulnerabilities. This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers. Of the nine CVEs addressed, seven of them affect every supported version of Internet Explorer, so attackers have many choices when selecting a vulnerability to exploit in the near future. It should be noted that one of the nine vulnerabilities was publicly disclosed, but it only affects Internet Explorer 8. Additionally, it does not appear that the Internet Explorer 10 vulnerabilities exploited by VUPEN at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month.

There are a couple other critical client-side vulnerabilities this month, composed of remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight bug could be exploited by attackers via a drive-by web page hosting a malicious Silverlight application, where the attacker would convince users to view the malicious web page through some form of social engineering, such as phishing attacks or watering hole attacks. The Visio Viewer vulnerability would similarly be exploited by convincing users to open seemingly legitimate email attachments, which has proven to be an effective tactic for attackers.

Additionally, Microsoft is patching a few vulnerabilities within SharePoint Server and SharePoint Foundation, addressed within MS13-024. These include three elevation of privilege vulnerabilities and a denial of service vulnerability. The elevation of privilege vulnerabilities could allow an attacker to execute actions as if they were a user logged onto the SharePoint site. The denial of service vulnerability would cause the entire SharePoint site to crash, requiring a manual restart. Needless to say, this bulletin patches some very disruptive vulnerabilities.

Finishing up the application vulnerabilities for this month are patches for OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026). Both of these bulletins address information disclosure vulnerabilities. The OneNote vulnerability allows an attacker to disclose information not normally available to the attacker, such as usernames and passwords. The Office for Mac vulnerability specifically affects the Outlook for Mac component, allowing attackers to load remote content when an HTML email message is viewed by users. This could be used by attackers to load a secondary exploit targeting a secondary vulnerability to compromise the victim’s system.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers. These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine. That means this is not the normal type of second-stage vulnerability that would be exploited to gain a deeper foothold on a system. Instead, this will only be exploited in very limited and targeted attacks.

And that wraps up this month’s Patch Tuesday overview. So make sure to get the critical patches (MS13-021, MS13-022, MS13-023, and MS13-024) rolled out as soon as possible, followed by the rest of the patches. Also, be sure not to miss the Vulnerability Expert Forum tomorrow, Wednesday, March 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

, , , ,

Leave a Reply

4 Responses to “March 2013 Patch Tuesday: Cleaning House”

  1. Bob

    The best practice I’ve been able to do around cleanup is to schedule a small time every month (usually immediately after patch Tuesday) to do any cleanup needed. Typically this includes, among others, patching anything that for any reason is not on automatic patching software. Also this is a great time to check for 3rd party patches that might go unnoticed.

    March 13, 2013 1:30:15, Reply
  2. Soo

    Once a year is good. I like to let the crud build up for awhile before I clean it.

    March 13, 2013 1:46:43, Reply
  3. Alex

    “Spring cleaning” once a year it can be great idea and at first sight can save a lot of time during the year, but my way is to maintain my systems continuously and to not wait systems will crash, and we will not have any choice only start patching and fixing immediately.

    March 13, 2013 1:59:08, Reply
  4. Mike

    At the company I work at I’m over servers, network devices and storage. Servers get patched monthly and other devices get patched when needed/available. Our company has a yearly archiving policy to move items from the previous year to an archive medium of some kind. I’ve also taken some time every year to try and review firewall ACL’s, network configs, company IT policies and AD GPO’s. This has helped lock down security a lot and increase my understanding of what is actually going on in the network.

    March 14, 2013 2:31:15, Reply

Additional articles


Closing the Vulnerability Gap

Posted October 7, 2015    Brian Chappell

Managing vulnerabilities is a significant challenge for many organizations. The main difficulties with managing this manifest in two key areas. The first is that the list isn’t static. The second is priority.


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.

3d image Data Breach issues concept word cloud background

Experian/T-Mobile Data Breach: When 2 Days is not Enough

Posted October 2, 2015    Morey Haber

On October 1, Experian admitted full responsibility for the loss of T-Mobile customer data. 15 million user records dating back to 2013 were effected in the breach, with data including sensitive information that may be decryptable like social security numbers and drivers licenses.