BeyondTrust

Security in Context: The BeyondTrust Blog

Welcome to Security in Context

Bringing you news and commentary on solutions and strategies for protecting critical IT infrastructure in the context of your business.

September 2013 Patch Tuesday

Posted September 10, 2013    BeyondTrust Research Team

September’s Patch Tuesday fixes vulnerabilities in SharePoint, Outlook, Word, Excel, Kernel drivers, and more. There are a total of 13 patches, fixing 47 unique CVEs; four bulletins are rated critical and nine bulletins are rated important.

MS13-067 addresses ten vulnerabilities in SharePoint server, including versions 2003, 2007, 2010, and 2013, along with Office Web Apps 2010. The patch addresses multiple elevation of privilege vulnerabilities that could allow an attacker to execute code in the context of another SharePoint user. It also fixes multiple remote code execution vulnerabilities; many deal with memory corruptions having to do with processing Word documents. The patch also addresses a denial of service vulnerability. It should be noted that one of the elevation of privilege vulnerabilities, CVE-2013-3180, has been publicly disclosed, and is therefore going gain more attention by attackers. As the Snowden leaks have showed us, it is important to keep information stored on things like SharePoint as secure as possible. Therefore, make sure to get this patch rolled out as soon as possible.

MS13-068 fixes a critical privately reported vulnerability in Outlook, which could be used to execute arbitrary code in the context of the current user. It affects Outlook 2007 and 2010. Attackers can exploit this by crafting malicious S/MIME messages and sending them to target users. When the user opens the malicious message, the vulnerability will be exploited, causing the user’s system to be compromised and the attacker’s code to run in the context of the current user. Because of this attack vector, it is very important that this patch be rolled out as soon as possible.

MS13-069 addresses ten memory corruption vulnerabilities in Internet Explorer. While every supported version is affected, no single CVE affects every version of Internet Explorer. This is different than recent months where at least one CVE affected every supported version of Internet Explorer. Any of these vulnerabilities can be used in drive-by exploits that would result in the attacker’s code being executed in the context of the current user. This patch should be deployed as soon as possible.

A couple of non-Office client-side pieces of user land software were patched this month. MS13-070 fixes a privately disclosed vulnerability in Object Linking and Embedding (OLE), which is often used to embed multimedia content in documents. Additionally, MS13-071 addresses a vulnerability dealing with themes in Windows. Exploitation of this vulnerability would only be possible if a user applied a malicious theme. In the case of both of these bulletins, successful exploitation of the vulnerabilities would result in remote code being executed on the user’s system in the context of the current user’s account.

A number of Office products were fixed this month, including Word, Excel, and Access. MS13-072 patches 13 vulnerabilities in Office Word, in versions 2003, 2007, and 2010. Office 2013 was not affected by these vulnerabilities. MS13-073 addresses three vulnerabilities in Excel, spanning versions 2003, 2007, 2010, and 2013, as well as Office for Mac 2011. MS13-074 fixes three vulnerabilities in Access, affecting versions 2007, 2010, and 2013. All of these bulletins fix remote code execution vulnerabilities, as well as some other types of vulnerabilities. It should be noted that some of the vulnerabilities addressed in MS13-072 and MS13-073 were also addressed in MS13-067.

A few privilege elevation vulnerabilities, which could lead to system privileges, were fixed this month. MS13-075 addresses an issue with the Office 2010 Pinyin Input Method Editor (IME), which permits an attacker to launch Internet Explorer from the IME toolbar with system-level privileges, rather than the normal user-level privileges. MS13-076 fixes seven vulnerabilities in Windows kernel-mode drivers, affecting every supported version of Windows, with the exception of Windows 8.1, RT 8.1, and Server 2012 R2. MS13-077 patches a vulnerability in the Service Control Manager for Windows 7 and Server 2008 that can be exploited by attackers that modify the system’s registry. All of these bulletins require that an attacker be able to locally execute code on a system, meaning that unauthenticated exploitation is not possible. Attackers would likely combine this exploit with another exploit that targeted user land client-side software, such as one of the Office vulnerabilities patched this month.

Finishing off the patch cycle this month are the last couple of bulletins. MS13-078 fixes an information disclosure vulnerability in Microsoft FrontPage 2003. To exploit this, attackers would convince users to view a malicious FrontPage document, which would disclose local file contents to the attacker. Lastly, MS13-079 addresses a vulnerability in Active Directory, which could allow an attacker to cause a denial of service condition to occur on vulnerable systems by sending a malicious LDAP query. This could be used by attackers to cause a distraction while performing attacks on other systems throughout the network.

Be sure to patch SharePoint (MS13-067), Outlook (MS13-068), and Internet Explorer (MS13-069) as soon as possible, followed by the rest of the patches. Also, be sure to join us for the Vulnerability Expert Forum tomorrow, Wednesday, September 11 at 1pm PT, where we cover these patches, as well as other security news. Sign up here.

>> Hey September VEF Attendees! Answer the question below and have a chance at winning an iPad Mini! Winner will be selected next week.

“What’s your best strategy (how-to) for managing and patching vulnerabilities in Microsoft products like SharePoint server and Office products?”

>> VEF News Articles

CxO:
Internet has vuln.
Forget Passwords: Nymi Knows You By Your Heartbeat

IT Admin:
What NSA snoops like about the iPhone

Researcher:
Researchers: Oracle’s Java Security Fails
Researchers outwit Apple, plant malware in the App Store

>> VEF Questions & Comments

Haralambos mentioned that KB2817630 was pulled by Microsoft for an incompatibility with Outlook 2013. If your folder pane is blank in Outlook 2013, uninstall the update. Thanks Haralambos!

Jeffrey asked if Windows Theme files would be a good attack vector for bypassing anti-virus. Our take on this is that unless you have specifically told your AV engine to not scan theme files, the AV scan engine will scan the theme file while when it is downloaded and when it is accessed. If a malicious theme file is found in the wild or submitted to an antivirus company, a signature will be created and whatever AV solutions that have the signature will detect exploit attempts, provided the signature is effective.

Thank you to everyone that attended this month’s VEF. We appreciate all the questions and comments. If there was a question you asked that we did not answer on the VEF, or did not mention in this blog post, please contact us directly research@BeyondTrust.com.

Tags:
,

Leave a Reply

9 Responses to “September 2013 Patch Tuesday”

  1. Bogdab

    Best way to patch software is: 1) Get microsoft updates 2)Watch list of nullday exploits for software and update it 3) have alerts on updating software 4) watch and keep in mind such software as: adobe products, office , browsers, sun products.
    5) Have watchlist/mailing list of vulnerable software, Thanks you and regards from IT security team in Ukraine – CQR.

    September 11, 2013 1:27:08, Reply
  2. Jeffrey

    We use Microsoft Update on servers, and keep up today with various blogs, user feedback, and the monthly Vulnerability Experts Forum from Beyond Trust before applying and scheduling updates.

    September 11, 2013 1:30:53, Reply
  3. Nickolas

    WSUS is a crucial tool to keep your Microsoft network up to date. Also, staying up to date on the latest vulnerabilities by watching BeyondTrust webinars and keeping up to date on other respectable security blogs.

    September 11, 2013 1:32:26, Reply
  4. Victor Martinez

    one way is to do a scan to the server using a tool to look beyond trust vulnerabilities that are needed to the server or microsoft products.

    made it necessary to update missing patches performing a server maintenance window or always affected product to the end user reporting the activity to be performed.

    This will keep the network secure and produce affected by vulnerabilities

    September 11, 2013 1:41:41, Reply
  5. Craig

    Our department tries to make employees aware of suspicious requests and pop-ups. While our IT dept, must search the innternet for posts for vulnerabilities and stop-gap fixes until MS provides an official patch or revision to their software products.

    September 11, 2013 1:42:54, Reply
  6. Darius

    I think the best strategy for managing and patching vulnerabilities in SharePoint server and Office products is to first run the most recent version of the applications. Running the older versions of applications just increases your risk and exposure to known vulnerabilities. Once the newest applications are deployed within your environment, staying on top of the released patches with an automated patch management system like SCCM will allow you to quickly deploy updates to systems in your network. Also key to the strategy is the monitoring of your environment to make sure that your automation efforts are hitting your targets. You can’t just set it and forget it, you have to have the human element to manage your strategy and solutions.

    September 11, 2013 1:46:00, Reply
  7. Lisa

    I’ve seen WSUS (Windows Server Update Services) used in a large campus successfully for managing Microsoft updates.

    Aside: The TechNet URL for WSUS is here: http://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

    You also will need to audit your environment to ensure that the important patches were deployed successfully, and no (critical) systems were missed. A reliable and constantly updated vulnerability management tool for your network is a really useful tool – as it brings awareness to systems that may not have been rebooted and also third-party vendor security updates.

    Also, if you aren’t aware of it, BeyondTrust offers a quick & useful “Patch Tuesday Recap” webinar that gets you the info you need quick when it comes to MS updates.

    September 11, 2013 1:54:38, Reply
  8. Cyrus

    Hard to answer without giving out all the details! Our strategy is to model potential threats to the design of the various architects and project managers. First starting with proactive measures (configuration) then reactive (patching). For example with Office, to reduce the attack surface we remove default, legacy or backwards compatibility features if possible, then lock down the configuration as-needed. Patching for servers like SharePoint use WSUS via mirrored virtual images (one patches while other serves). The patching cycle is staged to ensure nothing breaks and rolled out exponentially as issues are resolved and assets are deemed stable.

    September 11, 2013 2:27:12, Reply
  9. Haralambos 'Harry'

    “What’s your best strategy (how-to) for managing and patching vulnerabilities in Microsoft products like SharePoint server and Office products?”

    Now I note that this question doesn’t ask what I’m doing actually but what my best strategy is… so I’m going to toss in both, strategy first.

    Everyone (home users and each and every company) has different (A) computing environments, (B) resources to support them and (C) requirements or compliance issues that impact them. Grandma may depend on her teenage grandson to support her after school and a global company has to use rotating helpdesk staff to offer “follow-the-sun” support. In each case the environment will be different and how you deal with supporting the end point devices, whether they smart phones or CAD workstations, define what type of patch management you use. Even grandma has a SLA (you don’t want to miss those fresh baked cookies right?!?) and even if it’s not been defines there’s at least an expectation of support from executives, developers, customers, etc. to ensure that everyone’s endpoint device is protected.
    The fact is that in the harsh reality that we live organized crime and government entities are primarily taking advantage of security flaws found by hackers, and the security flaws, exposures and risks are at times ahead of the patches and solutions that manufacturers give us to work with. Nothing is perfect and people and systems we are always at risk of some type of data loss or compromise.
    To complicate matters, patches are not always security related but used to add features, roll-ups, etc. and if for example you are using cloud based services like Microsoft Lync 2013, if your client is not running with the latest Office 2013 patches, you may be losing features (in case you’re not aware of it Lync 2013 is part of some Office 2013 SKUs). There was a bad Exchange patch that was not even tested by Microsoft that was just released! Just because it’s been posted as a patch doesn’t mean it won’t blow up systems.

    Onto the strategy… know your customers and communicate, communicate, communicate. Tell them when there is a patch and keep on a schedule. Keep everyone from Grandma and the VP of whatever in the loop when you’re going to affect something that will change how they work in the loop as a partner and you’re less likely to be a thorn in their side when things inevitably change!

    Now onto what’s my strategy and what I would recommend for people to do:
    First and foremost, stay informed. Get the details from Microsoft on Tuesday when they come out and then attend the VEF the next day. You should have a recurring meeting set up for the time of the VEF to make sure you have that time free so a less important meeting invitation is not sent to you. Next, get signed up for as many different patch management e-lists as possible to hear from as many other peers as possible who are also testing patches, finding and posting/reporting problems and solutions! I also check the Internet Storm Center from sans.edu to see that some of the ratings/impacts are.
    Second, patch on a schedule. When something is emergent get it out ASAP so you’re not a victim. Then patch machines over a 2-week period to allow patching non-production machines so you can monitor them for 1-7 days to test and vet out any issues before patching production servers.

    September 13, 2013 1:43:20, Reply

Additional articles

PBPS-screenshot-blog aug2014

Failing the Security Basics: Backoff Point-of-Sale Malware

Posted August 22, 2014    Marc Maiffret

At the beginning of this month, US-CERT issued a security alert relating to a string of breaches that had been targeting Point of Sale (POS) systems. The alert details that attackers were leveraging brute forcing tools to target common remote desktop applications such as Microsoft’s Remote Desktop, Apple Remote Desktop, Splashtop and LogMeIn among others….

Tags:
, , , , , ,

Troubleshooting Windows Privilege Management Rules with Policy Monitor

Posted August 21, 2014    Jason Silva

When defining and testing PowerBroker for Windows rules for production or pilots, customers sometimes tell us, “I don’t think this policy / program is working.” This is usually a case of the policy not properly triggering because of the way the rule was created. A unique feature of PowerBroker for Windows compared to other solutions is a client-side…

Tags:
, , ,
darren-mar-elia

BeyondTrust Webcast: Darren Mar-Elia’s 4 Active Directory Change Scenarios to Track

Posted August 20, 2014    Chris Burd

In our latest webcast, we joined Darren Mar-Elia, CTO at SDM Software, to discuss best practices for Active Directory (AD) change management. Here are some key takeaways from the presentation, followed by a link to a full-length video of the presentation. Mar-Elia kicks things off with a critical insight: that the best AD change management…

Tags:
, , , , , , ,