SpiderLabs Blog

Microsoft Patch Tuesday, September 2013

Written by Robert Foggia | Sep 10, 2013 11:39:00 AM

In Chicago, it's been a roller coaster of a summer with cold weather to now steaming hot. Fortunately, the weather held out for last weekend Trustwave summer outing which was held at Six Flags Great America in Gurnee, Illinois. For those who have attended this amusement park, there are plenty of thrills with the Raging Bull, X-flight and Giant Drop.  However, the thrill factor doesn't come close to the September Microsoft patch Tuesday release [especially if you are an IT administrator]. For this month's patch Tuesday, Microsoft has acknowledged thirteen (13) bulletins with four having a critical severity and eight of the bulletins allowing remote code execution conditions. One of the bulletins was pulled from the advance notification, but the thrill factor is still to the ceiling with a majority of bulletins affecting common Microsoft products (IE, Outlook, Office) and there is a good possibility that exploit code will be available for several of the critical bulletins soon. 

For this patch Tuesday, we will explore each of these beasts. Feel free to join us for this extreme ride. Secure your safety bar because this patch Tuesday will have its steep downfalls, its twists-n-turns and it could be a bumpy ride.

MS13-067 (KB2834052)

CRITICAL

Remote Code Execution in SharePoint Server

Like most individuals fearing the Top Thrill Dragster for its speed, administrators should fear MS13-073 based on the MAC Disabled vulnerability (CVE-2013-1330) in SharePoint Server.  This vulnerability will be very attractive to attackers based on its ability for remote code execution and also creating denial of service conditions on a server that may store confidential information. Among these ten (10) CVEs included in this bulletin, many of these are related to MS13-072 and MS13-073.  More information about these vulnerabilities will be provided down the road.  Until then, let the suspense continue [dun dun dun dun...].

Top Thrill Dragster - Sandusky, Ohio



MS13-068 (KB2756473)

CRITICAL

Remote Code Execution in Outlook

This bulletin only contains a single CVE but this one definitely packs a punch.  This is the scariest bulletin of them all; sort of like the Kingda Ka, which is the tallest and one of the steepest roller coasters. You better hold on real tight for this one. If an exploit becomes available for this vulnerability, it would be real nasty for those who are affected and remained un-patched. The security flaw is based on how Microsoft Outlook handles certain specially crafted S/MIME (Secure/Multipurpose Internet Mail Extension) email messages. Essentially, an attacker could launch a spam campaign that would infect those who either open or preview the message in Outlook. Yes, this is extremely frightful. Those who have Microsoft Outlook 2007 (service pack 3) or Microsoft Outlook 2010 (service pack 1 & 2) need to ensure your patched ASAP. However, those with Outlook 2013 will have nothing to fear.

Kingda Ka - Jackson, New Jersey



MS13-069 (KB2870699)

CRITICAL

Memory Corruption Vulnerabilities in IE

This bulletin can get your heart pumping sort of like the gut-wrenching 97-degree negative drop on the Fahrenheit coaster. Since February 2013, all the MAPP Tuesday release included a bulletin with at least one Internet Explorer memory corruption vulnerability. In this release, there is a total of ten (10) CVE's relating to these memory corruption issues with about half of these vulnerabilities being likely to have exploit code released within 30 days.  Make sure you keep your eyes open for spam campaigns that attempt to entice you to visit a specially crafted web page.  Currently, it appears that none of these vulnerabilities been included in an exploit kit quite yet.

Fahrenheit - Hershey, Pennsylvania




MS13-070 (KB2876217)

CRITICAL

Remote Execution in OLE

I consider this bulletin the memory corruption of doom. The Object Linking and Embedding (OLE) framework is an essential API in Windows that allows creating and displaying a compound document, such as an image. For example, if you really liked the below Drop of Doom image and you would like to copy and paste it into Word; the OLE framework would be used during this process. This is one of the few bulletins where a remote code execution vulnerability is found in a essential component of Windows which makes this bulletin really intense. However, only legacy operating system versions are affected, such as Windows XP and Windows 2003 Server.

Drop of Doom - Valencia, California

 

MS13-071 (2864063)

IMPORTANT

Remote Execution in Windows Theme File

The Colossus roller coaster may not be as extreme as Kingda Ka or the Top Thrill Dragster, but it still has its twists and turns. This bulletin only contains a single CVE but it may allow an attacker to remotely execute code with system privileges. Even if an attacker had working exploit code for this vulnerability, it would require the attacker to successfully social engineer a user to open a malicious Windows Theme file. Additionally, this vulnerability would only affect legacy operating systems, such as Windows XP, Windows Vista and Windows Server 2003/2008. This one is still important because you want to make sure your system is protected from the unknown.

Colossus - Surrey, U.K.




MS13-072 (KB2845537) 

IMPORTANT

Remote Execution in Microsoft Office

This is a roller coaster that has a gut-wrenching drop of terror, which is sort of like being unprotected from thirteen (13) major vulnerabilities in  the infamous Microsoft Office. Several of these vulnerabilities are caused by memory corruption flaws, which can result in remote code execution conditions. Additionally, this was one of the previously mentioned vulnerabilities that also affect the Share-point Server bulletin (MS13-067). In order to end this terror, patch now!

Tower of Terror - Gold Coast, Australia



MS13-073 (KB2858300)

IMPORTANT

Remote Execution in Microsoft Excel

Haven't we've been on this thrill ride already (bulletin MS13-072) ? This bulletin covers several buffer-overflow vulnerabilities in Microsoft Excel. It appears that memory corruption vulnerabilities has become a major theme in this MAPP Tuesday release. Additionally, the XML External Entities Resolution Vulnerability (CVE-2013-3159) appears to be very similar to CVE-2013-3160 in bulletin MS13-072 except that this vulnerability is in Microsoft Excel.

Supreme Scream - Buena Park, California



MS13-074 (KB2848637)

IMPORTANT

Remote Execution in Microsoft Access

Similar to MS13-072, and MS13-073, this is another bulletin covering memory corruption vulnerabilities that result remotely code execution. The most frightful part of this bulletin is that versions including Access 2013 and Access 2010 are affected. Fortunately, it is unlikely that these memory corruption vulnerabilities will be exploited in the near future since it appears to have a relatively complex attack vector. Take a breath of relief and lets move on to the next one.

 

AtmosFear - Gothenburg, Sweden

 

MS13-075 (KB2878687)

IMPORTANT

Elevation of Privileges in in Microsoft Office IME (Chinese)

This roller coaster is one of a kind. The bulletin is very unique with it only affecting Chinese version of Microsoft Office due to a vulnerable version of the Input Method Editors (IME) is installed by default. This vulnerability requires the attacker to be logged on to the machine and have valid credentials. However, if the attacker is successful, it could elevate privileges to full-user rights. Those who are not running a Chinese version of Office will have no issues challenging this beast.

Mountain Flyer - China



MS13-076 (KB2876315)

IMPORTANT

Elevation of Privileges in Kernel-Mode Drivers

This bulletin might be a bit of a bumpy ride. The vulnerability affects a wide range of Windows versions including Windows XP to Windows 8. Depending on your Windows version, it could result in the elevation of privileges or denial of service conditions.

The Boss - Eureka, Missouri




MS13-077 (KB2872339)

IMPORTANT

Elevation of Privileges in Windows Service Control Manager

With a sigh of relief, this is the last memory corruption vulnerability covered in this month patch Tuesday. This memory corruption vulnerability was discovered in the Service Control Manager (SCM) which stores information about all installed Windows services and it starts these services at boot time.  Similar to the several beasts of it kind, the attacker would need to trick an authenticated user to open a malicious file in order to successful exploit this vulnerability. This still seems intimating to me!

Intimidator 305 - Doswell, Virginia




MS13-078 (KB2878685)

IMPORTANT

Information Disclosure in FrontPage

This is one of the short bumpy rides with only one CVE. This bulletin covers a information disclosure vulnerability in Frontpage 2003 that appears to be caused by a flaw in the LibXML2. The LibXML brings back flashbacks to a vulnerability that we wrote about back in April as well as a information disclosure vulnerability in Visio (MS13-044). In any case, an attacker would need to entice the target to click on a malicious XML file in order to reveal potential system file content.

Shivering Timbers - Muskegon County, Michigan



MS13-079 (KB2853587)

IMPORTANT

Denial of Service in Active Directory

There is only one CVE in this bulletin but it has the potential to cause chaos in active directory environments by causing LDAP messages not being able to be processed. Once the denial of service condition occurs, the administrator would need to restart this service in order for the LDAP directory service to be responsive.

King Chaos - Gurnee, Illinois




Hopefully, you enjoyed the ride. Before you leave, make sure you ensure that the automatic security update feature is enabled so that these security flaws are patched ASAP.  Have a patch Tuesday Day!!!