The November 2013 release of Microsoft's Security patches include updates for many different Microsoft products and components. Included in the 8 patches, Microsoft has bundled 19 unique vulnerability fixes covering products such as Internet Explorer, Office, Hyper-V, and Outlook, among others.
While Microsoft has yet to provide a fix for the zero-day vulnerability reported against Office 2003 to 2007 and Windows XP through Windows Server 2008, they did surprise a few people by patching a recently reported hole in Internet Explorer versions 7 through 10.
Marc Maiffret, CTO of BeyondTrust has provided us with some clarification and backstory on the patches released today. As always, we are grateful for Marc's willingness to share his expert security advice with the Windows IT Pro community.
The Top 3 points for this release are:
- CVE-2013-3918, one of the recently disclosed 0days, has been patched in MS13-090. CVE-2013-3096 remains unpatched, but has a Fix it solution available.
- GDI receives a patch that is only exploitable via a malicious WordPad document (MS13-089). Affects every supported version of windows.
- Hyper-V gets a patch that fixes a vulnerability that allows an attacker executing code in one guest machine to execute code on another guest machine on the same host (MS13-092)
Marc goes on to say…
- If you’ve been following the news at all these past couple weeks, you will have noticed that not one, but TWO zero-day vulnerabilities have been seen exploited in the wild that target Internet Explorer.The first zero-day,CVE-2013-3906, was announced by Microsoft in anadvisoryand in ablog poststating that it was seen being used against targets in the Middle East and South Asia. While the most recent versions of Windows and Office are unaffected, Vista, Server 2008, and Office 2003 through 2010 are affected, so it is very important to get theFix itrolled out as soon as possible to help protect vulnerable systems. No official patch from Microsoft has been released at this point.
- The second zero-day recently seen is being patched today.MS13-090provides a fix for this vulnerability by setting killbits for the InformationCardSigninHelper ActiveX control. This was originallyreported by FireEye. This vulnerability permits remote code execution on a victim’s system via browse-and-get-owned scenarios. This mimics the attack vector present for vulnerabilities addressed in Internet Explorer this month. While server core versions of Windows Server 2008 and 2012 escaped being affected by this vulnerability, all other supported versions of Windows are affected. Because this has seen active attacks in the wild, it is extremely important to roll this patch out as soon as possible.
- Following the topic of Internet Explorer,MS13-088addresses 10 vulnerabilities in Microsoft’s browser, fixing versions 6 through 11. Among the vulnerabilities, there are two information disclosure bugs and eight memory corruption issues that enable remote code execution–two of which (CVE-2013-3915andCVE-2013-3917) affect every supported version of Internet Explorer. These were all privately reported, with no known exploitation occurring in the wild. Typical exploitation scenarios will include attackers creating a malicious web page and convincing users to view the page, enabling the attackers to execute arbitrary code on the victims’ machines. Because every version of Internet Explorer is affected, it is highly recommended that this patch be rolled out as soon as possible.
- The next bulletin,MS13-089, fixes a vulnerability in GDI, which affects every supported version of Windows from XP to Windows 8.1. To exploit this vulnerability, attackers need to create a malicious file and convince users to open it in WordPad. So while this is not as simple as a browse-and-get-owned scenario offered byMS13-088, it is still potent, due to the fact that it affects every version of supported Windows. Administrators should deploy this patch out as soon as possible.
- Next in the bulletin line-up isMS13-091, addressing three vulnerabilities in Microsoft Office, specifically in Word. Versions affected include Office 2003, 2007, 2010, and 2013. All three vulnerabilities were privately reported with no known exploitation taking place in the wild. One of the vulnerabilities,CVE-2013-1324, affects every supported version of Microsoft Office, so attackers will focus on that one in particular. Because these are all remote code execution vulnerabilities, successful exploitation will result in an attacker’s code being able to run on a victim’s machine within the context of the current user.
- Another Office-related vulnerability is being fixed this month inMS13-094. This bulletin fixes an information disclosure vulnerability affecting Outlook 2007, 2010, and 2013. While it has not been observed exploiting users in the wild, it has been publicly disclosed. The vulnerability itself manifests when S/MIME certificate metadata is expanded. Attackers could use this vulnerability to obtain the IP address of the victim, as well as open TCP ports, which is useful when performing reconnaissance against a network in preparation for an attack. The more information an attacker can gain about a target, the higher of a chance the attack will succeed.
- MS13-092brings a fix for Hyper-V, addressing an elevation of privilege vulnerability. This affects Windows 8 and Server 2012 (8.1 and Server 2012 R2 are unaffected). To exploit this vulnerability, an attacker would need to gain access to a guest virtual machine within a Hyper-V host. From there, they would need to execute a malicious program, which would either 1) crash the host system, thereby denying service to any users or systems utilizing any guests on the host or 2) execute code on another guest running on the affected host machine. The denial of service attack would be useful for causing a disruption as a distraction, whereas the ability to execute arbitrary code on another guest machine could be incredibly valuable in the context of hosted virtual machine scenarios, permitting the takeover of other guests running on affected Hyper-V hosts.
- Lastly, the remaining two bulletins this month fix an information disclosure (MS13-093) and a denial of service (MS13-095).MS13-093addresses a memory disclosure vulnerability in the Windows ancillary function driver, which could be used in conjunction with a secondary exploit to elevate privileges on a system to kernel level.MS13-095permits an attacker to crash an affected web service when parsing a malicious X.509 certificate. This could be utilized by attackers to cause a distraction, while they attack other systems on the network.
- Be sure to patch the ActiveX 0day (MS13-090), Internet Explorer (MS13-088), and GDI (MS13-089) as soon as possible, followed by the rest of the patches.
BeyondTrust is the only security solution vendor providing Context-Aware Security Intelligence, giving customers the visibility and controls necessary to reduce their IT security risks, while at the same time simplifying their compliance reporting.
Read more at BeyondTrust.com