Happy 10th birthday, Patch Tuesday! This month marks the 10th anniversary of the Patch Tuesday process we’re all familiar with. To kick off the anniversary celebrations, October’s patch Tuesday fixes vulnerabilities in Internet Explorer, the Windows Kernel, .NET, SharePoint, Office, and more. There are a total of 8 patches, fixing 26 unique vulnerabilities; four bulletins are rated as critical and the other four are rated as important.
Internet Explorer leads the way this month with ten vulnerabilities getting patched, including the broadly exploited zero day vulnerability, CVE-2013-3893. This vulnerability was originally disclosed through a Microsoft security advisory on September 17. It has been seen leveraged in the wild against Internet Explorer 8 and 9. In addition to the publicly disclosed vulnerability, another vulnerability (CVE-2013-3897) has also been seen in targeted attacks in the wild exploiting Internet Explorer 8 browsers. Both of these bugs, along with some other memory corruption vulnerabilities, are getting patched in this month’s MS13-080 bulletin. Roll out this patch as soon as possible.
Some kernel-mode drivers were patched this month with MS13-081, addressing seven vulnerabilities: two remote code execution vulnerabilities dealing with OpenType and TrueType fonts, and five elevation of privilege vulnerabilities. Both font parsing vulnerabilities, a USB descriptor vulnerability, and an unspecified use after free vulnerability all affect almost every version of Windows. Only Windows 8.1, Server 2012 R2, and RT 8.1 went by unscathed by this bulletin. Both of the font vulnerabilities will be a prime target for attackers in the near future, since these types of vulnerabilities have proven to be useful in targeted attacks in the past. Administrators should deploy this patch as soon as possible.
Both .NET and Silverlight received patches this month in MS13-082 and MS13-087. The .NET bulletin addresses three vulnerabilities: a remote code execution vulnerability shared with MS13-081, and two denial of service vulnerabilities, one of which was publicly disclosed. Of the three vulnerabilities in this bulletin, attackers would most likely target the remote code execution vulnerability, which deals with OpenType font parsing. Attackers would create a malicious XAML browser application and attract users to view the application, causing attacker-run code to execute on the victims’ systems. The Silverlight bulletin addresses an information disclosure affecting Silverlight 5 and the Silverlight 5 developer runtime. This would be exploited in a similar manner to the .NET vulnerability, by creating a malicious Silverlight application and attracting victims to view the application, permitting the attacker to view local data from the victim’s system.
MS13-083 addresses a vulnerability affecting a shared DLL, Comctl32.dll, found in Windows. Almost all versions of Windows are affected, with the exception of XP SP3 (32-bit XP), Windows 8.1, 2012 R2, and RT 8.1. This is a memory corruption that can be exploited by triggering an integer overflow in the shared library. This could be accomplished by sending a malicious request to a vulnerable ASP.NET web application that uses the DSA_InsertItem function. Attackers that successfully exploit this would be able to execute arbitrary code on the vulnerable system. Because this affects so many versions of Windows, and is included by default, this patch should be rolled out as soon as possible.
MS13-084 fixes two CVEs in SharePoint (MS13-084). The combination of these vulnerabilities affects SharePoint Services 3.0, SharePoint Foundation, SharePoint Server, Excel Services, Word Automation Services, Web Applications 2010, and Excel Web App 2010, so scope of these vulnerabilities are not merely limited to SharePoint servers. One vulnerability permits code execution in the context of the SharePoint service, while the other vulnerability permits cross-site scripting attacks. The code execution vulnerability can be abused to gain a foothold on the SharePoint server itself, while the cross-site scripting vulnerability would permit an attacker to impersonate a victim’s actions on a site.
Finally, both Excel and Word were patched this month in MS13-085 and MS13-086, respectively. In MS13-085, Excel 2007, 2010, and 2013 were patched, and Office for Mac 2011 (in addition to Excel Viewer and the Office Compatibility Pack). Two vulnerabilities were fixed in this, which would allow remote code execution. In MS13-086, only Word 2003 and 2007 (in addition to the Office Compatibility Pack) were affected. Like Excel, Word received fixes for two remote code execution vulnerabilities. If exploited, these vulnerabilities would render the attacker the ability to execute arbitrary code within the context of the current user.
Be sure to patch Internet Explorer (MS13-080), kernel-mode drivers (MS13-081), and the common control library (MS13-083) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, October 9 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.
>> Hello VEF Attendees! Participate in our monthly giveaway here. Answer the question in the comments to win an iPad Mini!
How has Patch Tuesday affected your business processes and policies regarding patching? Do you gain more utility from regular Patch releases, or does Exploit Wednesday keep you up at night?
Most compelling answer wins!
>> VEF News Articles
>> VEF Questions & Comments
Update: CVE-2013-3871 was pulled from the MS13-080 bulletin. According to Microsoft, “CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action.”
Karla asks, “Whenever we talk about Patch Tuesday, it’s always in terms of what vulnerabilities these patches mitigate. What about what they break? If you’re testing patches and you find it breaks something necessary in your environment, how do you offset the risks?” This is a great question. As with every VEF, we discuss each bulletin’s mitigations, which can be found on every Microsoft bulletin page under the section titled “Workarounds”. These mitigations are the primary strategy for reducing risk in lieu of applying a patch, as they usually do a few things: remove the only attack vector/surface responsible for the vulnerability, reduce the number of attack vectors available to attackers, or reduce or completely negate the impact of a successful exploitation. Unfortunately, some issues simply do not have a mitigation available. As with any security related bulletin, any client-based issue will benefit tremendously from running with least privileges, which is something we touch on frequently. If you’re looking for solutions in the least privilege space, check out PowerBroker Windows or PowerBroker UNIX & Linux.
Jamie wanted to know, [paraphrased] “Can the scanner test and report on the version/algorithm/depth of certificates?” The answer is yes; if you search in Retina for “FIPS” or “SSL Certificate”, there are a number of audits related to certificates and FIPS compliance such as 12609 – SSL Certificate Weak Public Key Strength and 16922 – Microsoft Minimum Certificate Key Length (2661254), to name a few.
Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.