BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

March 2013 Patch Tuesday: Cleaning House

Posted March 12, 2013    BeyondTrust Research Team

Patch Tuesday is upon us and this month, Microsoft is doing a little spring cleaning of vulnerabilities, fixing a well-rounded collection of client-side vulnerabilities, along with a few server-side vulnerabilities for good measure. This month, the affected software includes Internet Explorer, Silverlight, Visio Viewer, SharePoint, OneNote, Outlook for Mac, and a Windows kernel-mode driver. In total, there are 20 vulnerabilities addressed by seven bulletins, four of which are rated critical.

Boldly leading the charge of bulletins is Internet Explorer in MS13-021, with a whopping nine vulnerabilities, all of which are use after free vulnerabilities. This bulletin alone composes almost half of the vulnerabilities addressed this month. Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers. Of the nine CVEs addressed, seven of them affect every supported version of Internet Explorer, so attackers have many choices when selecting a vulnerability to exploit in the near future. It should be noted that one of the nine vulnerabilities was publicly disclosed, but it only affects Internet Explorer 8. Additionally, it does not appear that the Internet Explorer 10 vulnerabilities exploited by VUPEN at Pwn2Own have been addressed in this patch, but we do anticipate seeing them addressed next month.

There are a couple other critical client-side vulnerabilities this month, composed of remote code execution vulnerabilities in Silverlight 5 (MS13-022) and Visio Viewer 2010 (MS13-023). The Silverlight bug could be exploited by attackers via a drive-by web page hosting a malicious Silverlight application, where the attacker would convince users to view the malicious web page through some form of social engineering, such as phishing attacks or watering hole attacks. The Visio Viewer vulnerability would similarly be exploited by convincing users to open seemingly legitimate email attachments, which has proven to be an effective tactic for attackers.

Additionally, Microsoft is patching a few vulnerabilities within SharePoint Server and SharePoint Foundation, addressed within MS13-024. These include three elevation of privilege vulnerabilities and a denial of service vulnerability. The elevation of privilege vulnerabilities could allow an attacker to execute actions as if they were a user logged onto the SharePoint site. The denial of service vulnerability would cause the entire SharePoint site to crash, requiring a manual restart. Needless to say, this bulletin patches some very disruptive vulnerabilities.

Finishing up the application vulnerabilities for this month are patches for OneNote 2010 (MS13-025) and Office 2008/2011 for Mac (MS13-026). Both of these bulletins address information disclosure vulnerabilities. The OneNote vulnerability allows an attacker to disclose information not normally available to the attacker, such as usernames and passwords. The Office for Mac vulnerability specifically affects the Outlook for Mac component, allowing attackers to load remote content when an HTML email message is viewed by users. This could be used by attackers to load a secondary exploit targeting a secondary vulnerability to compromise the victim’s system.

Lastly, MS13-027 addresses multiple vulnerabilities within Windows kernel-mode drivers, specifically within certain USB drivers. These vulnerabilities could be exploited by attackers to gain the ability to execute code in the kernel, but the attacker must be physically at the computer and able to insert a USB device into the vulnerable machine. That means this is not the normal type of second-stage vulnerability that would be exploited to gain a deeper foothold on a system. Instead, this will only be exploited in very limited and targeted attacks.

And that wraps up this month’s Patch Tuesday overview. So make sure to get the critical patches (MS13-021, MS13-022, MS13-023, and MS13-024) rolled out as soon as possible, followed by the rest of the patches. Also, be sure not to miss the Vulnerability Expert Forum tomorrow, Wednesday, March 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

Tags:
, , , ,

Leave a Reply

4 Responses to “March 2013 Patch Tuesday: Cleaning House”

  1. Bob

    The best practice I’ve been able to do around cleanup is to schedule a small time every month (usually immediately after patch Tuesday) to do any cleanup needed. Typically this includes, among others, patching anything that for any reason is not on automatic patching software. Also this is a great time to check for 3rd party patches that might go unnoticed.

    March 13, 2013 1:30:15, Reply
  2. Soo

    Once a year is good. I like to let the crud build up for awhile before I clean it.

    March 13, 2013 1:46:43, Reply
  3. Alex

    “Spring cleaning” once a year it can be great idea and at first sight can save a lot of time during the year, but my way is to maintain my systems continuously and to not wait systems will crash, and we will not have any choice only start patching and fixing immediately.

    March 13, 2013 1:59:08, Reply
  4. Mike

    At the company I work at I’m over servers, network devices and storage. Servers get patched monthly and other devices get patched when needed/available. Our company has a yearly archiving policy to move items from the previous year to an archive medium of some kind. I’ve also taken some time every year to try and review firewall ACL’s, network configs, company IT policies and AD GPO’s. This has helped lock down security a lot and increase my understanding of what is actually going on in the network.

    March 14, 2013 2:31:15, Reply

Additional articles

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Integrating Least Privilege and Password Management to Solve Account Security Challenges

Posted July 24, 2014    Morey Haber

There is a reason all BeyondTrust Privileged Account Management (PAM) solutions share the PowerBroker name: They all inherently enable you to reduce user-based risk and can be integrated under a centralized IT risk management platform. Here’s one common use case that demonstrates how this integration changes the playing field. Consider the challenge of privileged access:…

Tags:
, , , , ,
PowerBroker Password Safe Password Age Report

Reshaping Privileged Password Management with Password Safe 5.2

Posted July 21, 2014    Martin Cannard

Today, we’re pleased to unveil the latest edition of our privileged password management solution, PowerBroker Password Safe. I’ll start with a brief intro of what’s new and then tell you a little about the driving factors behind Password Safe development. New features for mitigating password risk and ensuring accountability enterprise-wide Here’s the 10,000-foot overview of…

Tags:
, , ,
PowerBroker for Windows tamper protection

PowerBroker for Windows 6.6 Tamper Protection

Posted July 18, 2014    Morey Haber

I have a bone to pick: Stopping an administrator from performing an action on a system is futile endeavor. As an administrator, there is always a way to circumvent a solution’s from tampered protection. Really! By default, Windows administrators have unrestricted access to the system – and even though an application, hardened configuration, or group policy…

Tags:
, ,