SpiderLabs Blog

Microsoft Patch Tuesday, August 2013

Written by | Aug 13, 2013 8:55:00 AM

The big news this month in Microsoft's Active Protections Program, other than the eight new bulletins, is the expansion of the MAPP program. First Microsoft will be giving select companies like Trustwave a few extra days of advance notification for the upcoming month of bulletins so that we have a little extra time to develop protections for our customers before the bad guys can reverse engineer the patches and come out with exploits. This will further increase the time frame between Patch Tuesday and Exploit Wednesday. Second the program will offer a feed of sorts of malicious URLs, file hashes, incident data and relevant detection guidance to response companies, CSIRTs, ISACs, and security vendors. And third Microsoft will be offering company's who are partners in the program access to a content vulnerability scanner to scan Office documents, PDF files, Flash movies, and suspect URLs in the 'cloud'. Considering that the MAPP program is almost five years old and has changed very little in that time these are welcome expansions to the program.

As for the eight bulletins this month, there are three critical ones that each includes remote code execution. That includes Internet Explorer, XP and Server 2003 and Exchange Server, which doesn't get much more critical. The rest are rated Important and consist of two Elevation of Privilege, two Denial of Service and one Information Disclosure. All five of them impact various parts of Windows itself. Interesting that this month there doesn't seem to be any Office, SharePoint, or other application level patches.

Start scheduling those reboots, your going to need them this month!

 

MS13-059 (KB2862772)

CRITICAL

Remote Code Execution in Internet Explorer

CVE-2013-3184 CVE-2013-3187CVE-2013-3188 CVE-2013-3189 CVE-2013-3190
CVE-2013-3191 CVE-2013-3193 CVE-2013-3194 CVE-2013-3199

There are eleven CVEs fixed in this update. Most of them are memory corruption issues. At least one of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer and lets face it getting a user to visit a "specially crafted web page" isn't all that difficult these days. This is acritical update if you are using IE on a Windows client and only Moderate if you are running Windows Server. These even impact IE 11 Preview and 8.1 RT Preview. If you are keeping score, CVE-2013-3199 seems to be the worst of the bunch. Microsoft says that exploit code is likely within thirty days which, considering how much attackers love to use IE, I think is probably a safe bet.(Restart #1)

 

MS13-060 (KB2850869)

CRITICAL

Remote Code Execution in Unicode Scripts Processor

CVE-2013-3181

The Unicode Scripts Processor is the Microsoft Windows set of services for rendering Unicode-encoded text, especially complex text layout. In this case a remote code execution could occur if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. This pretty much only impacts Windows XP and Server 2003. It is possible to mitigate this vulnerability without applying the update by setting a custom level in the Security Tab of Internet Options and forcing the system to prompt or disable Font Downloading Security Setting but it is a lot easier to just apply the patch.(Restart #2, maybe)

 

MS13-061 (KB2876063)

CRITICAL

Remote Code Execution in Microsoft Exchange Server

CVE-2013-3781CVE-2013-3776 CVE-2013-2393

While Microsoft correctly lists these vulnerabilities as impacting Exchange Server the real issue is in the included Oracle Outside In Libraries and affect the Web Ready Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. An attacker can take advantage of these if a user previews a specially crafted file using Outlook Web App (OWA). While these vulnerabilities have already been publicly disclosed they have not yet been seen in the wild and Microsoft does not expect exploit code to be written for these anytime soon.(Restart unlikely)

 

MS13-062 (KB2849470)

IMPORTANT

Elevation of Privilege in Remote Procedure Call

CVE-2013-3175

A Remote Procedure Call is basically a common library that allows a client and server to communicate. In this case the way Microsoft Windows handles asynchronous RPC messages could be used by an attacker and result in an Elevation of Privilege. Microsoft does expect exploit code to be written for this one pretty soon so apply those patches, but be sure you get the right one, there are different packages depending on what version of Windows you are running, just turn on Automatic Updates and let the system figure out which one you need. (Restart #3)

 

MS13-063 (KB2859537)

IMPORTANT

Elevation Privilege in Windows Kernel

CVE-2013-2556CVE-2013-3196 CVE-2013-3197 CVE-2013-3198

This vulnerability requires a specially crafted application in order to be exploited which means an attacker must have valid logon credentials and be able to log on locally in order take advantage of this flaw. The primary issue here is how the Windows kernel validates memory address values to disrupt the integrity of Address Space Layout Randomization. ASLR is used to prevent an attacker from reliably jumping to a particular memory address as in the case of a buffer overflow. The particular section of the Windows kernel impacted here is the NT Virtual DOS Machine (NTVDM) that contains a memory corruption issue fixed by this patch. You could try disabling the NTVDM via group policy or by editing the registry but it would be a lot easier to just apply the patch. (Restart #4)

 

MS13-064 (KB2849568)

IMPORTANT

Denial of Service in Windows NAT Driver

CVE-2013-3182

As the name suggests the Windows NAT Driver provides network address translation in Windows. A specially crafted ICMP packet could cause memory corruption forcing the target system to stop responding until it is restarted. (Restart #5)

 

MS13-065 (KB2868623)

IMPORTANT

Denial of Service in ICMPv6

CVE-2013-3183

Considering that the CVEs for MS13-064 and MS13-065 are only one digit off and that they both involve ICMP these are probably very closely related vulnerabilities. This vulnerability is caused when the TCP/IP stack does not properly allocate memory for incoming ICMPv6 packets and like M13-064 a specially crafted ICMP packet could cause memory corruption forcing the target system to stop responding until it is restarted. (Restart #6)

 

MS13-066 (KB2873872)

IMPORTANT

Information Disclosure in Active Directory Federation Services

CVE-2013-3185

Active Directory Federation Services (AD FS) allows the secure sharing of identity information between trusted business partners (known as a federation under Active Directory) across an extranet. This vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which could result in account lockout of the service account used by AD FS. This would result in denial of service for all applications relying on the AD FS instance and reveal information pertaining to the service account. (Restart #7)

 

Phew, that's seven restarts! Well, if you do it the right way anyway, and by the right way I mean install one patch, restart, test, and then install the next patch. Of course most sys admins I know might test them all on a non-production server and then install them all at once in production and restart once. Up to you, but if you really want to live dangerously just skip the testing and go straight to production! Live on the edge baby!