Security In Context

Bringing you news and commentary on solutions and strategies for protecting your critical IT infrastructure.

March 2013 Patch Tuesday: Cleaning House

Post by BeyondTrust Research Team March 12, 2013

Patch Tuesday is upon us and this month, Microsoft is doing a little spring cleaning of vulnerabilities, fixing a well-rounded collection of client-side vulnerabilities, along with a few server-side vulnerabilities for good measure. This month, the affected software includes Internet Explorer, Silverlight, Visio Viewer, SharePoint, OneNote, Outlook for Mac, and a Windows kernel-mode driver. In total, there are 20 vulnerabilities addressed by seven bulletins, four of which are rated critical.

Boldly leading the charge of bulletins is Internet Explorer in MS13-021, with a whopping nine vulnerabilities, all of which are use after free vulnerabilities. This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers. Of the nine CVEs addressed, seven of them affect every supported version of Internet Explorer, so attackers have many choices when selecting a vulnerability to exploit in the near future. It should be noted that one of the nine vulnerabilities was publicly disclosed, but it only affects Internet Explorer 8. Additionally, it does not appear that the Internet Explorer 10 vulnerabilities exploited by VUPEN at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month.

There are a couple other critical client-side vulnerabilities this month, composed of remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight bug could be exploited by attackers via a drive-by web page hosting a malicious Silverlight application, where the attacker would convince users to view the malicious web page through some form of social engineering, such as phishing attacks or watering hole attacks. The Visio Viewer vulnerability would similarly be exploited by convincing users to open seemingly legitimate email attachments, which has proven to be an effective tactic for attackers.

Additionally, Microsoft is patching a few vulnerabilities within SharePoint Server and SharePoint Foundation, addressed within MS13-024. These include three elevation of privilege vulnerabilities and a denial of service vulnerability. The elevation of privilege vulnerabilities could allow an attacker to execute actions as if they were a user logged onto the SharePoint site. The denial of service vulnerability would cause the entire SharePoint site to crash, requiring a manual restart. Needless to say, this bulletin patches some very disruptive vulnerabilities.

Finishing up the application vulnerabilities for this month are patches for OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026). Both of these bulletins address information disclosure vulnerabilities. The OneNote vulnerability allows an attacker to disclose information not normally available to the attacker, such as usernames and passwords. The Office for Mac vulnerability specifically affects the Outlook for Mac component, allowing attackers to load remote content when an HTML email message is viewed by users. This could be used by attackers to load a secondary exploit targeting a secondary vulnerability to compromise the victim’s system.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers. These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine. That means this is not the normal type of second-stage vulnerability that would be exploited to gain a deeper foothold on a system. Instead, this will only be exploited in very limited and targeted attacks.

And that wraps up this month’s Patch Tuesday overview. So make sure to get the critical patches (MS13-021, MS13-022, MS13-023, and MS13-024) rolled out as soon as possible, followed by the rest of the patches. Also, be sure not to miss the Vulnerability Expert Forum tomorrow, Wednesday, March 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

, , , ,

Leave a Reply

4 Responses to “March 2013 Patch Tuesday: Cleaning House”

  1. Bob

    The best practice I’ve been able to do around cleanup is to schedule a small time every month (usually immediately after patch Tuesday) to do any cleanup needed. Typically this includes, among others, patching anything that for any reason is not on automatic patching software. Also this is a great time to check for 3rd party patches that might go unnoticed.

    March 13, 2013 1:30:15, Reply
  2. Soo

    Once a year is good. I like to let the crud build up for awhile before I clean it.

    March 13, 2013 1:46:43, Reply
  3. Alex

    “Spring cleaning” once a year it can be great idea and at first sight can save a lot of time during the year, but my way is to maintain my systems continuously and to not wait systems will crash, and we will not have any choice only start patching and fixing immediately.

    March 13, 2013 1:59:08, Reply
  4. Mike

    At the company I work at I’m over servers, network devices and storage. Servers get patched monthly and other devices get patched when needed/available. Our company has a yearly archiving policy to move items from the previous year to an archive medium of some kind. I’ve also taken some time every year to try and review firewall ACL’s, network configs, company IT policies and AD GPO’s. This has helped lock down security a lot and increase my understanding of what is actually going on in the network.

    March 14, 2013 2:31:15, Reply

Additional articles

smart rules manager for vulnerabilities - v2

A New Way of Looking at Vulnerabilities in Your Environment

Assets, users, vulnerabilities and exploits; all are common themes in my posts on BeyondInsight. With BeyondInsight v5.1, we unveiled a new way to view exploitable assets. Sure, most vulnerability management solutions link vulnerability data to exploit information, allowing tools like NeXpose and QualysGuard to list an asset, its vulnerabilities, and any related exploits. BeyondInsight does…

Post by Morey Haber April 23, 2014
, , , , ,
smart rules manager for vulnerabilities

Staying on Top of the Latest Vulnerabilities with BeyondInsight v5.1

It’s no secret that dozens of new OS and application vulnerabilities are revealed every day. Staying on top of these new exposures normally requires paying for services or subscribing to multiple RSS feeds. BeyondInsight 5.1 provides customers with another option: a built-in, customizable vulnerability alerting system that delivers up-to-date information on the latest vulnerabilities in…

Post by Morey Haber April 21, 2014
, , , , , ,

Getting More Value from QualysGuard Vulnerability Data with BeyondInsight v5.1

If your vulnerability assessment scans can’t produce meaningful and actionable reports, performing a scan does no good for anyone. If you’ve read my other blog posts, you know I have no qualms about stating that BeyondTrust provides the best vulnerability reporting in the industry. Ask your favorite analyst and they’ll tend to agree. Of course,…

Post by Morey Haber April 18, 2014
, , , , , , , ,