November’s Patch Tuesday cycle brings us fixes for a variety of software including Internet Explorer, the Graphics Device Interface (GDI), Office, Hyper-V, Outlook, and others. There are a total of 8 patches, fixing 19 unique vulnerabilities; three bulletins are rated as critical and the other five are rated as important.
If you’ve been following the news at all these past couple weeks, you will have noticed that not one, but TWO zero-day vulnerabilities have been seen exploited in the wild that target Internet Explorer. The first zero-day, CVE-2013-3906, was announced by Microsoft in an advisory and in a blog post stating that it was seen being used against targets in the Middle East and South Asia. While the most recent versions of Windows and Office are unaffected, Vista, Server 2008, and Office 2003 through 2010 are affected, so it is very important to get the Fix it rolled out as soon as possible to help protect vulnerable systems. No official patch from Microsoft has been released at this point.
The second zero-day recently seen is being patched today. MS13-090 provides a fix for this vulnerability by setting killbits for the InformationCardSigninHelper ActiveX control. This was originally reported by FireEye. This vulnerability permits remote code execution on a victim’s system via browse-and-get-owned scenarios. This mimics the attack vector present for vulnerabilities addressed in Internet Explorer this month. While server core versions of Windows Server 2008 and 2012 escaped being affected by this vulnerability, all other supported versions of Windows are affected. Because this has seen active attacks in the wild, it is extremely important to roll this patch out as soon as possible.
Following the topic of Internet Explorer, MS13-088 addresses 10 vulnerabilities in Microsoft’s browser, fixing versions 6 through 11. Among the vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915 and CVE-2013-3917) affect every supported version of Internet Explorer. These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.
The next bulletin, MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1. To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered by MS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.
Next in the bulletin line-up is MS13-091, addressing three vulnerabilities in Microsoft Office, specifically in Word. Versions affected include Office 2003, 2007, 2010, and 2013. All three vulnerabilities were privately reported with no known exploitation taking place in the wild. One of the vulnerabilities, CVE-2013-1324, affects every supported version of Microsoft Office, so attackers will focus on that one in particular. Because these are all remote code execution vulnerabilities, successful exploitation will result in an attacker’s code being able to run on a victim’s machine within the context of the current user.
Another Office-related vulnerability is being fixed this month in MS13-094. This bulletin fixes an information disclosure vulnerability affecting Outlook 2007, 2010, and 2013. While it has not been observed exploiting users in the wild, it has been publicly disclosed. The vulnerability itself manifests when S/MIME certificate metadata is expanded. Attackers could use this vulnerability to obtain the IP address of the victim, as well as open TCP ports, which is useful when performing reconnaissance against a network in preparation for an attack. The more information an attacker can gain about a target, the higher of a chance the attack will succeed.
MS13-092 brings a fix for Hyper-V, addressing an elevation of privilege vulnerability. This affects Windows 8 and Server 2012 (8.1 and Server 2012 R2 are unaffected). To exploit this vulnerability, an attacker would need to gain access to a guest virtual machine within a Hyper-V host. From there, they would need to execute a malicious program, which would either 1) crash the host system, thereby denying service to any users or systems utilizing any guests on the host or 2) execute code on another guest running on the affected host machine. The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts.
Lastly, the remaining two bulletins this month fix an information disclosure (MS13-093) and a denial of service (MS13-095). MS13-093 addresses a memory disclosure vulnerability in the Windows ancillary function driver, which could be used in conjunction with a secondary exploit to elevate privileges on a system to kernel level. MS13-095 permits an attacker to crash an affected web service when parsing a malicious X.509 certificate. This could be utilized by attackers to cause a distraction, while they attack other systems on the network.
Be sure to patch the ActiveX 0day (MS13-090), Internet Explorer (MS13-088), and GDI (MS13-089) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, November 13 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.
>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win a Nexus 7!
In light of our upcoming BeyondSaaS launch, we want to know, do you currently conduct vulnerability assessment scans from the cloud? And if so, how? How often are you doing external scans?
Most awesome answer wins!
>> VEF News Articles
>> VEF Questions & Comments
Edward had asked us for our thoughts regarding using Tor as an enterprise browser standard. DJ’s thoughts were primarily centered on reliability, or lack thereof. Tor is slow and cannot absolutely guarantee anonymity. But, Carter brought a much more relevant and interesting point to light which is that once you’re on the Tor network, your data is in the hands of third parties. If you’re transporting sensitive content, like medical records or intellectual property, you may run into significant legal repercussions.
Chris had mentioned a certain three-letter agency mucking about with encryption popular algorithms… we’re just going to leave this advisory here.
Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.