BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

October 2013 Patch Tuesday: 10 Year Anniversary Edition

Posted October 8, 2013    BeyondTrust Research Team

Happy 10th birthday, Patch Tuesday! This month marks the 10th anniversary of the Patch Tuesday process we’re all familiar with. To kick off the anniversary celebrations, October’s patch Tuesday fixes vulnerabilities in Internet Explorer, the Windows Kernel, .NET, SharePoint, Office, and more. There are a total of 8 patches, fixing 26 unique vulnerabilities; four bulletins are rated as critical and the other four are rated as important.

Internet Explorer leads the way this month with ten vulnerabilities getting patched, including the broadly exploited zero day vulnerability, CVE-2013-3893. This vulnerability was originally disclosed through a Microsoft security advisory on September 17. It has been seen leveraged in the wild against Internet Explorer 8 and 9. In addition to the publicly disclosed vulnerability, another vulnerability (CVE-2013-3897) has also been seen in targeted attacks in the wild exploiting Internet Explorer 8 browsers. Both of these bugs, along with some other memory corruption vulnerabilities, are getting patched in this month’s MS13-080 bulletin. Roll out this patch as soon as possible.

Some kernel-mode drivers were patched this month with MS13-081, addressing seven vulnerabilities: two remote code execution vulnerabilities dealing with OpenType and TrueType fonts, and five elevation of privilege vulnerabilities. Both font parsing vulnerabilities, a USB descriptor vulnerability, and an unspecified use after free vulnerability all affect almost every version of Windows. Only Windows 8.1, Server 2012 R2, and RT 8.1 went by unscathed by this bulletin. Both of the font vulnerabilities will be a prime target for attackers in the near future, since these types of vulnerabilities have proven to be useful in targeted attacks in the past. Administrators should deploy this patch as soon as possible.

Both .NET and Silverlight received patches this month in MS13-082 and MS13-087. The .NET bulletin addresses three vulnerabilities: a remote code execution vulnerability shared with MS13-081, and two denial of service vulnerabilities, one of which was publicly disclosed. Of the three vulnerabilities in this bulletin, attackers would most likely target the remote code execution vulnerability, which deals with OpenType font parsing. Attackers would create a malicious XAML browser application and attract users to view the application, causing attacker-run code to execute on the victims’ systems. The Silverlight bulletin addresses an information disclosure affecting Silverlight 5 and the Silverlight 5 developer runtime. This would be exploited in a similar manner to the .NET vulnerability, by creating a malicious Silverlight application and attracting victims to view the application, permitting the attacker to view local data from the victim’s system.

MS13-083 addresses a vulnerability affecting a shared DLL, Comctl32.dll, found in Windows. Almost all versions of Windows are affected, with the exception of XP SP3 (32-bit XP), Windows 8.1, 2012 R2, and RT 8.1. This is a memory corruption that can be exploited by triggering an integer overflow in the shared library. This could be accomplished by sending a malicious request to a vulnerable ASP.NET web application that uses the DSA_InsertItem function. Attackers that successfully exploit this would be able to execute arbitrary code on the vulnerable system. Because this affects so many versions of Windows, and is included by default, this patch should be rolled out as soon as possible.

MS13-084 fixes two CVEs in SharePoint (MS13-084). The combination of these vulnerabilities affects SharePoint Services 3.0, SharePoint Foundation, SharePoint Server, Excel Services, Word Automation Services, Web Applications 2010, and Excel Web App 2010, so scope of these vulnerabilities are not merely limited to SharePoint servers. One vulnerability permits code execution in the context of the SharePoint service, while the other vulnerability permits cross-site scripting attacks. The code execution vulnerability can be abused to gain a foothold on the SharePoint server itself, while the cross-site scripting vulnerability would permit an attacker to impersonate a victim’s actions on a site.

Finally, both Excel and Word were patched this month in MS13-085 and MS13-086, respectively. In MS13-085, Excel 2007, 2010, and 2013 were patched, and Office for Mac 2011 (in addition to Excel Viewer and the Office Compatibility Pack). Two vulnerabilities were fixed in this, which would allow remote code execution. In MS13-086, only Word 2003 and 2007 (in addition to the Office Compatibility Pack) were affected. Like Excel, Word received fixes for two remote code execution vulnerabilities. If exploited, these vulnerabilities would render the attacker the ability to execute arbitrary code within the context of the current user.

Be sure to patch Internet Explorer (MS13-080), kernel-mode drivers (MS13-081), and the common control library (MS13-083) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, October 9 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Mini!

How has Patch Tuesday affected your business processes and policies regarding patching? Do you gain more utility from regular Patch releases, or does Exploit Wednesday keep you up at night?

Most compelling answer wins!

>> VEF News Articles

CxO:
Adobe Breached, 2.9 Million Records Stolen
Silk Road Seized
BlackHole Exploit Kit Author Arrested in Russia

IT Admin:
It Takes 22 Hours for Malware Distributors to Exploit News Events
Yahoo Recycled Emails Lead to Security Surprises… No One Surprised

Researcher:
Yahoo was Lame, but They Made Up for It
CCC Breaks Apple Touch ID

>> VEF Questions & Comments

Update: CVE-2013-3871 was pulled from the MS13-080 bulletin. According to Microsoft, “CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.”

Karla asks, “Whenever we talk about Patch Tuesday, it’s always in terms of what vulnerabilities these patches mitigate.  What about what they break?  If you’re testing patches and you find it breaks something necessary in your environment, how do you offset the risks?” This is a great question. As with every VEF, we discuss each bulletin’s mitigations, which can be found on every Microsoft bulletin page under the section titled “Workarounds”. These mitigations are the primary strategy for reducing risk in lieu of applying a patch, as they usually do a few things: remove the only attack vector/surface responsible for the vulnerability, reduce the number of attack vectors available to attackers, or reduce or completely negate the impact of a successful exploitation. Unfortunately, some issues simply do not have a mitigation available. As with any security related bulletin, any client-based issue will benefit tremendously from running with least privileges, which is something we touch on frequently. If you’re looking for solutions in the least privilege space, check out PowerBroker Windows or PowerBroker UNIX & Linux.

Jamie wanted to know, [paraphrased] “Can the scanner test and report on the version/algorithm/depth of certificates?” The answer is yes; if you search in Retina for “FIPS” or “SSL Certificate”, there are a number of audits related to certificates and FIPS compliance such as 12609 – SSL Certificate Weak Public Key Strength and 16922 – Microsoft Minimum Certificate Key Length (2661254), to name a few.

Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.

Tags:
, ,

Leave a Reply

4 Responses to “October 2013 Patch Tuesday: 10 Year Anniversary Edition”

  1. William

    After a couple of Microsoft’s Patch Tuesdays turned into Crash and Fail Wednesdays, we have chosen to make it Lab-test Wednesday, Canary Thursday and Deploy Monday. The whole regularity does allow the entire IT department to operate with a regular schedule. As for Exploit Wednesday, I personally worry about Hacker Tuesday, it is the things that you don’t know that are the scariest. Besides on Wednesdays the BeyondTrust VEF group really do educate us for what to really be on the look out for in the coming days.

    October 10, 2013 7:53:31, Reply
  2. Taylor

    One of the most important tools to successfully managing and deploying windows patches for our environment has been Windows Server Update Services (WSUS). Before implementation of WSUS we would allow users to install updates at their leisure. Quickly we discovered that a normal end user will not install updates. With WSUS you can specify when to install updates and also what updates to install. Typically, when patches are released on Tuesday our IT staff will be the first to install. We will then begin testing to insure that applications are functioning correctly. Most of the time patches do not cause problems (however, this month we have noticed that in outlook 2013 after applying updates if we tried to edit a calendar event outlook would crash). The reason that WSUS is so important is because with those updates that do cause problems it gives us the ability to decline them and wait until a more stable solution is found. Most environments have servers that are not critical to company function. What we will do is begin by updating those servers after which we will test to see if any problems surface. After testing and watching the blogs to see if other people are having issues with patches, at the end of the week we will install patches on business critical servers. Once again if we find problems with patches we can use WSUS to decline that update. Regular patching is extremely important to the security of an environment regardless of the few issues that do manifest themselves. The important thing to keep in mind is that these patches are created for a reason even though they might cause issues from time to time. A few issues from time to time is worth dealing with when you consider that once someone does exploit an unpatched vulnerability and steals your information there is no going back.

    October 10, 2013 3:57:08, Reply
  3. Nickolas

    Patch Tuesday makes scheduling updates much easier for our business. Once we review the patches to make sure it will not affect operations, then we deploy them that weekend. Regular patch releases help us keep on schedule and not fall behind.

    October 11, 2013 8:56:46, Reply
  4. Ben

    Patch Tuesday has been incredibly important in being able to get the business on-board with IT for getting the patches rolled out. Prior to having patches released in a predictable manner, they were always in a state of constant testing and release to production which caused the business a great deal of stress. Now, we are able to work with them to get the testing done around various important events they need 100% uptime for and get the patches released to production more quickly with better and more predictable results. Exploit Wednesday hasn’t really been an issue at our organization, luckily! If it was though, I think the impact of that would be less than the positives provided by regular patch releases.

    P.S. – I think that the new iPad mini will include a new Retina screen.

    October 11, 2013 12:25:53, Reply

Additional articles

6

A Quick Look at MS14-068

Posted November 20, 2014    BeyondTrust Research Team

Microsoft recently released an out of band patch for Kerberos.  Taking a look at the Microsoft security bulletin, it seems like there is some kind of issue with Kerberos signatures related to tickets. Further information is available in the Microsoft SRD Blogpost So it looks like there is an issue with PAC signatures.  But what…

Tags:
, , , ,
Password Game Show

Managing Shared Accounts for Privileged Users: 5 Best Practices for Achieving Control and Accountability

Posted November 20, 2014    Scott Lang

How do organizations ensure accountability of shared privileged accounts to meet compliance and security requirements without impacting administrator productivity? Consider these five best practices…

Tags:
, , , , , ,
Triggering MS14-066

Triggering MS14-066

Posted November 17, 2014    BeyondTrust Research Team

Microsoft addressed CVE-2014-6321 this Patch Tuesday, which has been hyped as the next Heartbleed.  This vulnerability (actually at least 2 vulnerabilities) promises remote code execution in applications that use the SChannel Security Service Provider, such as Microsoft Internet Information Services (IIS). The details have been scarce.  Lets fix that. Looking at the bindiff of schannel.dll, we see a…

Tags:
, , , , ,