BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

October 2013 Patch Tuesday: 10 Year Anniversary Edition

Posted October 8, 2013    BeyondTrust Research Team

Happy 10th birthday, Patch Tuesday! This month marks the 10th anniversary of the Patch Tuesday process we’re all familiar with. To kick off the anniversary celebrations, October’s patch Tuesday fixes vulnerabilities in Internet Explorer, the Windows Kernel, .NET, SharePoint, Office, and more. There are a total of 8 patches, fixing 26 unique vulnerabilities; four bulletins are rated as critical and the other four are rated as important.

Internet Explorer leads the way this month with ten vulnerabilities getting patched, including the broadly exploited zero day vulnerability, CVE-2013-3893. This vulnerability was originally disclosed through a Microsoft security advisory on September 17. It has been seen leveraged in the wild against Internet Explorer 8 and 9. In addition to the publicly disclosed vulnerability, another vulnerability (CVE-2013-3897) has also been seen in targeted attacks in the wild exploiting Internet Explorer 8 browsers. Both of these bugs, along with some other memory corruption vulnerabilities, are getting patched in this month’s MS13-080 bulletin. Roll out this patch as soon as possible.

Some kernel-mode drivers were patched this month with MS13-081, addressing seven vulnerabilities: two remote code execution vulnerabilities dealing with OpenType and TrueType fonts, and five elevation of privilege vulnerabilities. Both font parsing vulnerabilities, a USB descriptor vulnerability, and an unspecified use after free vulnerability all affect almost every version of Windows. Only Windows 8.1, Server 2012 R2, and RT 8.1 went by unscathed by this bulletin. Both of the font vulnerabilities will be a prime target for attackers in the near future, since these types of vulnerabilities have proven to be useful in targeted attacks in the past. Administrators should deploy this patch as soon as possible.

Both .NET and Silverlight received patches this month in MS13-082 and MS13-087. The .NET bulletin addresses three vulnerabilities: a remote code execution vulnerability shared with MS13-081, and two denial of service vulnerabilities, one of which was publicly disclosed. Of the three vulnerabilities in this bulletin, attackers would most likely target the remote code execution vulnerability, which deals with OpenType font parsing. Attackers would create a malicious XAML browser application and attract users to view the application, causing attacker-run code to execute on the victims’ systems. The Silverlight bulletin addresses an information disclosure affecting Silverlight 5 and the Silverlight 5 developer runtime. This would be exploited in a similar manner to the .NET vulnerability, by creating a malicious Silverlight application and attracting victims to view the application, permitting the attacker to view local data from the victim’s system.

MS13-083 addresses a vulnerability affecting a shared DLL, Comctl32.dll, found in Windows. Almost all versions of Windows are affected, with the exception of XP SP3 (32-bit XP), Windows 8.1, 2012 R2, and RT 8.1. This is a memory corruption that can be exploited by triggering an integer overflow in the shared library. This could be accomplished by sending a malicious request to a vulnerable ASP.NET web application that uses the DSA_InsertItem function. Attackers that successfully exploit this would be able to execute arbitrary code on the vulnerable system. Because this affects so many versions of Windows, and is included by default, this patch should be rolled out as soon as possible.

MS13-084 fixes two CVEs in SharePoint (MS13-084). The combination of these vulnerabilities affects SharePoint Services 3.0, SharePoint Foundation, SharePoint Server, Excel Services, Word Automation Services, Web Applications 2010, and Excel Web App 2010, so scope of these vulnerabilities are not merely limited to SharePoint servers. One vulnerability permits code execution in the context of the SharePoint service, while the other vulnerability permits cross-site scripting attacks. The code execution vulnerability can be abused to gain a foothold on the SharePoint server itself, while the cross-site scripting vulnerability would permit an attacker to impersonate a victim’s actions on a site.

Finally, both Excel and Word were patched this month in MS13-085 and MS13-086, respectively. In MS13-085, Excel 2007, 2010, and 2013 were patched, and Office for Mac 2011 (in addition to Excel Viewer and the Office Compatibility Pack). Two vulnerabilities were fixed in this, which would allow remote code execution. In MS13-086, only Word 2003 and 2007 (in addition to the Office Compatibility Pack) were affected. Like Excel, Word received fixes for two remote code execution vulnerabilities. If exploited, these vulnerabilities would render the attacker the ability to execute arbitrary code within the context of the current user.

Be sure to patch Internet Explorer (MS13-080), kernel-mode drivers (MS13-081), and the common control library (MS13-083) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, October 9 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Mini!

How has Patch Tuesday affected your business processes and policies regarding patching? Do you gain more utility from regular Patch releases, or does Exploit Wednesday keep you up at night?

Most compelling answer wins!

>> VEF News Articles

CxO:
Adobe Breached, 2.9 Million Records Stolen
Silk Road Seized
BlackHole Exploit Kit Author Arrested in Russia

IT Admin:
It Takes 22 Hours for Malware Distributors to Exploit News Events
Yahoo Recycled Emails Lead to Security Surprises… No One Surprised

Researcher:
Yahoo was Lame, but They Made Up for It
CCC Breaks Apple Touch ID

>> VEF Questions & Comments

Update: CVE-2013-3871 was pulled from the MS13-080 bulletin. According to Microsoft, “CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.”

Karla asks, “Whenever we talk about Patch Tuesday, it’s always in terms of what vulnerabilities these patches mitigate.  What about what they break?  If you’re testing patches and you find it breaks something necessary in your environment, how do you offset the risks?” This is a great question. As with every VEF, we discuss each bulletin’s mitigations, which can be found on every Microsoft bulletin page under the section titled “Workarounds”. These mitigations are the primary strategy for reducing risk in lieu of applying a patch, as they usually do a few things: remove the only attack vector/surface responsible for the vulnerability, reduce the number of attack vectors available to attackers, or reduce or completely negate the impact of a successful exploitation. Unfortunately, some issues simply do not have a mitigation available. As with any security related bulletin, any client-based issue will benefit tremendously from running with least privileges, which is something we touch on frequently. If you’re looking for solutions in the least privilege space, check out PowerBroker Windows or PowerBroker UNIX & Linux.

Jamie wanted to know, [paraphrased] “Can the scanner test and report on the version/algorithm/depth of certificates?” The answer is yes; if you search in Retina for “FIPS” or “SSL Certificate”, there are a number of audits related to certificates and FIPS compliance such as 12609 – SSL Certificate Weak Public Key Strength and 16922 – Microsoft Minimum Certificate Key Length (2661254), to name a few.

Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.

Tags:
, ,

Leave a Reply

4 Responses to “October 2013 Patch Tuesday: 10 Year Anniversary Edition”

  1. William

    After a couple of Microsoft’s Patch Tuesdays turned into Crash and Fail Wednesdays, we have chosen to make it Lab-test Wednesday, Canary Thursday and Deploy Monday. The whole regularity does allow the entire IT department to operate with a regular schedule. As for Exploit Wednesday, I personally worry about Hacker Tuesday, it is the things that you don’t know that are the scariest. Besides on Wednesdays the BeyondTrust VEF group really do educate us for what to really be on the look out for in the coming days.

    October 10, 2013 7:53:31, Reply
  2. Taylor

    One of the most important tools to successfully managing and deploying windows patches for our environment has been Windows Server Update Services (WSUS). Before implementation of WSUS we would allow users to install updates at their leisure. Quickly we discovered that a normal end user will not install updates. With WSUS you can specify when to install updates and also what updates to install. Typically, when patches are released on Tuesday our IT staff will be the first to install. We will then begin testing to insure that applications are functioning correctly. Most of the time patches do not cause problems (however, this month we have noticed that in outlook 2013 after applying updates if we tried to edit a calendar event outlook would crash). The reason that WSUS is so important is because with those updates that do cause problems it gives us the ability to decline them and wait until a more stable solution is found. Most environments have servers that are not critical to company function. What we will do is begin by updating those servers after which we will test to see if any problems surface. After testing and watching the blogs to see if other people are having issues with patches, at the end of the week we will install patches on business critical servers. Once again if we find problems with patches we can use WSUS to decline that update. Regular patching is extremely important to the security of an environment regardless of the few issues that do manifest themselves. The important thing to keep in mind is that these patches are created for a reason even though they might cause issues from time to time. A few issues from time to time is worth dealing with when you consider that once someone does exploit an unpatched vulnerability and steals your information there is no going back.

    October 10, 2013 3:57:08, Reply
  3. Nickolas

    Patch Tuesday makes scheduling updates much easier for our business. Once we review the patches to make sure it will not affect operations, then we deploy them that weekend. Regular patch releases help us keep on schedule and not fall behind.

    October 11, 2013 8:56:46, Reply
  4. Ben

    Patch Tuesday has been incredibly important in being able to get the business on-board with IT for getting the patches rolled out. Prior to having patches released in a predictable manner, they were always in a state of constant testing and release to production which caused the business a great deal of stress. Now, we are able to work with them to get the testing done around various important events they need 100% uptime for and get the patches released to production more quickly with better and more predictable results. Exploit Wednesday hasn’t really been an issue at our organization, luckily! If it was though, I think the impact of that would be less than the positives provided by regular patch releases.

    P.S. – I think that the new iPad mini will include a new Retina screen.

    October 11, 2013 12:25:53, Reply

Additional articles

red-thumbprint

Why big data breaches won’t always be so easy

Posted September 19, 2014    Byron Acohido

This blog post is republished with the permission of ThirdCertainty. See the original post here. – By: Byron Acohido, Editor-In-Chief, ThirdCertainty Some day, perhaps fairly soon, it will be much more difficult for data thieves to pull off capers like the headline-grabbing hacks of Home Depot and Target. That’s not a pipe dream. It’s the projected outcome…

Tags:
, , , , ,
pbps-blog2

8 Reasons Your Privileged Password Management Solution Will Fail

Posted September 18, 2014    Chris Burd

Leveraging complex, frequently updated passwords is a basic security best practice for protecting privileged accounts in your organization. But if passwords are such a no-brainer, why do two out of three data breaches tie back to poor password management? The fact is that not all privileged password management strategies are created equal, so it’s critical…

Tags:
, , , , , ,
pbps-customer-campaign-image

You Change Your Oil Regularly; Why Not Your Passwords?

Posted September 11, 2014    Chris Burd

There are many things in life that get changed regularly:  your car oil, toothbrush and hopefully, your bed sheets.  It’s rare that you give these things much thought – even when you forget to change them. But what if you’re forgetting something that can cost you millions of dollars if left unchanged for long periods…

Tags:
, , ,