Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

November 2013 Patch Tuesday

Posted November 12, 2013    BeyondTrust Research Team

November’s Patch Tuesday cycle brings us fixes for a variety of software including Internet Explorer, the Graphics Device Interface (GDI), Office, Hyper-V, Outlook, and others. There are a total of 8 patches, fixing 19 unique vulnerabilities; three bulletins are rated as critical and the other five are rated as important.

If you’ve been following the news at all these past couple weeks, you will have noticed that not one, but TWO zero-day vulnerabilities have been seen exploited in the wild that target Internet Explorer. The first zero-day, CVE-2013-3906, was announced by Microsoft in an advisory and in a blog post stating that it was seen being used against targets in the Middle East and South Asia. While the most recent versions of Windows and Office are unaffected, Vista, Server 2008, and Office 2003 through 2010 are affected, so it is very important to get the Fix it rolled out as soon as possible to help protect vulnerable systems. No official patch from Microsoft has been released at this point.

The second zero-day recently seen is being patched today. MS13-090 provides a fix for this vulnerability by setting killbits for the InformationCardSigninHelper ActiveX control. This was originally reported by FireEye. This vulnerability permits remote code execution on a victim’s system via browse-and-get-owned scenarios. This mimics the attack vector present for vulnerabilities addressed in Internet Explorer this month. While server core versions of Windows Server 2008 and 2012 escaped being affected by this vulnerability, all other supported versions of Windows are affected. Because this has seen active attacks in the wild, it is extremely important to roll this patch out as soon as possible.

Following the topic of Internet Explorer, MS13-088 addresses 10 vulnerabilities in Microsoft’s browser, fixing versions 6 through 11. Among the vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer. These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.

The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1. To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.

Next in the bulletin line-up is MS13-091, addressing three vulnerabilities in Microsoft Office, specifically in Word. Versions affected include Office 2003, 2007, 2010, and 2013. All three vulnerabilities were privately reported with no known exploitation taking place in the wild. One of the vulnerabilities, CVE-2013-1324, affects every supported version of Microsoft Office, so attackers will focus on that one in particular. Because these are all remote code execution vulnerabilities, successful exploitation will result in an attacker’s code being able to run on a victim’s machine within the context of the current user.

Another Office-related vulnerability is being fixed this month in MS13-094. This bulletin fixes an information disclosure vulnerability affecting Outlook 2007, 2010, and 2013. While it has not been observed exploiting users in the wild, it has been publicly disclosed. The vulnerability itself manifests when S/MIME certificate metadata is expanded. Attackers could use this vulnerability to obtain the IP address of the victim, as well as open TCP ports, which is useful when performing reconnaissance against a network in preparation for an attack. The more information an attacker can gain about a target, the higher of a chance the attack will succeed.

MS13-092 brings a fix for Hyper-V, addressing an elevation of privilege vulnerability. This affects Windows 8 and Server 2012 (8.1 and Server 2012 R2 are unaffected). To exploit this vulnerability, an attacker would need to gain access to a guest virtual machine within a Hyper-V host. From there, they would need to execute a malicious program, which would either 1) crash the host system, thereby denying service to any users or systems utilizing any guests on the host or 2) execute code on another guest running on the affected host machine. The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts.

Lastly, the remaining two bulletins this month fix an information disclosure (MS13-093) and a denial of service (MS13-095). MS13-093 addresses a memory disclosure vulnerability in the Windows ancillary function driver, which could be used in conjunction with a secondary exploit to elevate privileges on a system to kernel level. MS13-095 permits an attacker to crash an affected web service when parsing a malicious X.509 certificate. This could be utilized by attackers to cause a distraction, while they attack other systems on the network.

Be sure to patch the ActiveX 0day (MS13-090), Internet Explorer (MS13-088), and GDI (MS13-089) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, November 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!

In light of our upcoming BeyondSaaS launch, we want to know, do you currently conduct vulnerability assessment scans from the cloud? And if so, how? How often are you doing external scans?

Most awesome answer wins!

>> VEF News Articles

BlackBerry Link Remote Code Execution Vulnerability

Google Encrypts Internal Network
Cyberattack On Haifa Road Network Work Of Unknown, Sophisticated Hackers

IT Admin:
Project Shield
Digital Attack Map

Hidden chips ‘launch spam attacks from irons‘
DARPA slaps $2m on the bar for the ULTIMATE security bug SLAYER

>> VEF Questions & Comments

Edward had asked us for our thoughts regarding using Tor as an enterprise browser standard. DJ’s thoughts were primarily centered on reliability, or lack thereof. Tor is slow and cannot absolutely guarantee anonymity. But, Carter brought a much more relevant and interesting point to light which is that once you’re on the Tor network, your data is in the hands of third parties. If you’re transporting sensitive content, like medical records or intellectual property, you may run into significant legal repercussions.

Chris had mentioned a certain three-letter agency mucking about with encryption popular algorithms… we’re just going to leave this advisory here.

Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly

, ,

Leave a Reply

5 Responses to “November 2013 Patch Tuesday”

  1. Edward

    We are currently not using dedicated cloud services, using SAaS only, so the provider does the scanning and assessment on a quarterly basis.

    November 13, 2013 1:25:10, Reply
  2. Abe

    Currently using Qualys external and internal scanning solutions. We use this weekly and remediate based upon severity and complexity. Always looking for better solutions to vulnerability scanning.

    November 13, 2013 1:28:10, Reply
  3. Greg

    We have used cloud-based scans against our external addresses using a product from one of your competitors. There’s a compelling argument for that approach – it sure makes those scans easy and repeatable. But it also is more costly than using scanners on our own boxes. We continue to pinch pennies.

    Happy Thanksgiving, y’all! Good show today – thanks for the heads up on Project Shield!

    November 13, 2013 1:34:18, Reply
  4. ed

    I would like to enter the contest mentioned during the webinar today – I scan my client’s network every second! how’s that for an awesome response! I’ve implemented ISA Server to monitor traffic as it comes in and goes out. but since isa is an old solution I’m looking at other options including Dambala. So give me my prize and we’ll investigate your software as a possible solution for my clients to replace ISA in the future. 😉

    November 13, 2013 4:46:27, Reply
  5. Ben

    We do not currently conduct vulnerability assessment scans from the cloud. Vulnerability assessments are conducted as needed by outside vendors. This leaves some gaps in availability and frequency of scans, but also offers the flexibility of utilizing different vendors depending on current needs. Scans are currently done on a quarterly basis, with additional scans as needs or audits require. I believe that there are certainly opportunities to bring in additional tools and both scan more frequently and perform scans from the cloud. This seems like a good solution to many of the difficulties that we have faced.

    November 15, 2013 1:35:52, Reply

Additional articles


6 things I like about Gartner’s Cyber Resiliency Strategy

Posted August 27, 2015    Nigel Hedges

There were 6 key principles, or recommendations, that Gartner suggested were important drivers towards a great cyber resiliency posture. I commented more than once during the conference that many of these things were not new. They are all important recommendations that are best when placed together and given to senior management and the board – a critical element of organisations that desperately need to “get it”.


Why Customers Choose PowerBroker: Flexible Deployment Options

Posted August 26, 2015    Scott Lang

BeyondTrust commissioned a study of our customer base in early 2015 to determine how we are different from other alternatives in the market. What we learned was that there were six key differentiators that separate BeyondTrust from other solution providers in the market. We call it the PowerBroker difference,

, ,

On Demand Webinar: Security Risk of Mac OS X in the Enterprise

Posted August 20, 2015    BeyondTrust Software

In the last several years, Mac administrators have come to realize that they may be just as vulnerable to exploits and malware as most other operating systems. New malware and adware is released all the time, and there have been serious vulnerabilities patched by Apple in the past several years, some of which may afford attackers full control of your systems.

, ,