Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

November 2013 Patch Tuesday

Posted November 12, 2013    BeyondTrust Research Team

November’s Patch Tuesday cycle brings us fixes for a variety of software including Internet Explorer, the Graphics Device Interface (GDI), Office, Hyper-V, Outlook, and others. There are a total of 8 patches, fixing 19 unique vulnerabilities; three bulletins are rated as critical and the other five are rated as important.

If you’ve been following the news at all these past couple weeks, you will have noticed that not one, but TWO zero-day vulnerabilities have been seen exploited in the wild that target Internet Explorer. The first zero-day, CVE-2013-3906, was announced by Microsoft in an advisory and in a blog post stating that it was seen being used against targets in the Middle East and South Asia. While the most recent versions of Windows and Office are unaffected, Vista, Server 2008, and Office 2003 through 2010 are affected, so it is very important to get the Fix it rolled out as soon as possible to help protect vulnerable systems. No official patch from Microsoft has been released at this point.

The second zero-day recently seen is being patched today. MS13-090 provides a fix for this vulnerability by setting killbits for the InformationCardSigninHelper ActiveX control. This was originally reported by FireEye. This vulnerability permits remote code execution on a victim’s system via browse-and-get-owned scenarios. This mimics the attack vector present for vulnerabilities addressed in Internet Explorer this month. While server core versions of Windows Server 2008 and 2012 escaped being affected by this vulnerability, all other supported versions of Windows are affected. Because this has seen active attacks in the wild, it is extremely important to roll this patch out as soon as possible.

Following the topic of Internet Explorer, MS13-088 addresses 10 vulnerabilities in Microsoft’s browser, fixing versions 6 through 11. Among the vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer. These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.

The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1. To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.

Next in the bulletin line-up is MS13-091, addressing three vulnerabilities in Microsoft Office, specifically in Word. Versions affected include Office 2003, 2007, 2010, and 2013. All three vulnerabilities were privately reported with no known exploitation taking place in the wild. One of the vulnerabilities, CVE-2013-1324, affects every supported version of Microsoft Office, so attackers will focus on that one in particular. Because these are all remote code execution vulnerabilities, successful exploitation will result in an attacker’s code being able to run on a victim’s machine within the context of the current user.

Another Office-related vulnerability is being fixed this month in MS13-094. This bulletin fixes an information disclosure vulnerability affecting Outlook 2007, 2010, and 2013. While it has not been observed exploiting users in the wild, it has been publicly disclosed. The vulnerability itself manifests when S/MIME certificate metadata is expanded. Attackers could use this vulnerability to obtain the IP address of the victim, as well as open TCP ports, which is useful when performing reconnaissance against a network in preparation for an attack. The more information an attacker can gain about a target, the higher of a chance the attack will succeed.

MS13-092 brings a fix for Hyper-V, addressing an elevation of privilege vulnerability. This affects Windows 8 and Server 2012 (8.1 and Server 2012 R2 are unaffected). To exploit this vulnerability, an attacker would need to gain access to a guest virtual machine within a Hyper-V host. From there, they would need to execute a malicious program, which would either 1) crash the host system, thereby denying service to any users or systems utilizing any guests on the host or 2) execute code on another guest running on the affected host machine. The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts.

Lastly, the remaining two bulletins this month fix an information disclosure (MS13-093) and a denial of service (MS13-095). MS13-093 addresses a memory disclosure vulnerability in the Windows ancillary function driver, which could be used in conjunction with a secondary exploit to elevate privileges on a system to kernel level. MS13-095 permits an attacker to crash an affected web service when parsing a malicious X.509 certificate. This could be utilized by attackers to cause a distraction, while they attack other systems on the network.

Be sure to patch the ActiveX 0day (MS13-090), Internet Explorer (MS13-088), and GDI (MS13-089) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, November 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!

In light of our upcoming BeyondSaaS launch, we want to know, do you currently conduct vulnerability assessment scans from the cloud? And if so, how? How often are you doing external scans?

Most awesome answer wins!

>> VEF News Articles

BlackBerry Link Remote Code Execution Vulnerability

Google Encrypts Internal Network
Cyberattack On Haifa Road Network Work Of Unknown, Sophisticated Hackers

IT Admin:
Project Shield
Digital Attack Map

Hidden chips ‘launch spam attacks from irons‘
DARPA slaps $2m on the bar for the ULTIMATE security bug SLAYER

>> VEF Questions & Comments

Edward had asked us for our thoughts regarding using Tor as an enterprise browser standard. DJ’s thoughts were primarily centered on reliability, or lack thereof. Tor is slow and cannot absolutely guarantee anonymity. But, Carter brought a much more relevant and interesting point to light which is that once you’re on the Tor network, your data is in the hands of third parties. If you’re transporting sensitive content, like medical records or intellectual property, you may run into significant legal repercussions.

Chris had mentioned a certain three-letter agency mucking about with encryption popular algorithms… we’re just going to leave this advisory here.

Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly

, ,

Leave a Reply

5 Responses to “November 2013 Patch Tuesday”

  1. Edward

    We are currently not using dedicated cloud services, using SAaS only, so the provider does the scanning and assessment on a quarterly basis.

    November 13, 2013 1:25:10, Reply
  2. Abe

    Currently using Qualys external and internal scanning solutions. We use this weekly and remediate based upon severity and complexity. Always looking for better solutions to vulnerability scanning.

    November 13, 2013 1:28:10, Reply
  3. Greg

    We have used cloud-based scans against our external addresses using a product from one of your competitors. There’s a compelling argument for that approach – it sure makes those scans easy and repeatable. But it also is more costly than using scanners on our own boxes. We continue to pinch pennies.

    Happy Thanksgiving, y’all! Good show today – thanks for the heads up on Project Shield!

    November 13, 2013 1:34:18, Reply
  4. ed

    I would like to enter the contest mentioned during the webinar today – I scan my client’s network every second! how’s that for an awesome response! I’ve implemented ISA Server to monitor traffic as it comes in and goes out. but since isa is an old solution I’m looking at other options including Dambala. So give me my prize and we’ll investigate your software as a possible solution for my clients to replace ISA in the future. 😉

    November 13, 2013 4:46:27, Reply
  5. Ben

    We do not currently conduct vulnerability assessment scans from the cloud. Vulnerability assessments are conducted as needed by outside vendors. This leaves some gaps in availability and frequency of scans, but also offers the flexibility of utilizing different vendors depending on current needs. Scans are currently done on a quarterly basis, with additional scans as needs or audits require. I believe that there are certainly opportunities to bring in additional tools and both scan more frequently and perform scans from the cloud. This seems like a good solution to many of the difficulties that we have faced.

    November 15, 2013 1:35:52, Reply

Additional articles


Scottrade Breach: Identified by Federal Officials

Posted October 5, 2015    Morey Haber

Late afternoon on October 2nd, news leaked out of another large security breach, now at Scottrade. The identity count of records, in the millions again (4.6 million is the latest). This breach comes on the second day of national CyberSecurity month, the first being Experian/T-Mobile breach.

3d image Data Breach issues concept word cloud background

Experian/T-Mobile Data Breach: When 2 Days is not Enough

Posted October 2, 2015    Morey Haber

On October 1, Experian admitted full responsibility for the loss of T-Mobile customer data. 15 million user records dating back to 2013 were effected in the breach, with data including sensitive information that may be decryptable like social security numbers and drivers licenses.


Who Moved My Front Door? (What is Privileged Account Management?)

Posted October 1, 2015    Nigel Hedges

Not too long ago, I was sitting in a room with a very fluffy sales guy. In between words such as “we’ll make this happen” and “leave it with me, I’ll get it sorted” he asked the question “What is Privileged Account Management”?