Today for Patch Tuesday, Microsoft and Adobe are both coming out with critical fixes for a number of widely installed and attacked programs. Microsoft has 10 bulletins addressing a total of 33 vulnerabilities, and Adobe is releasing new versions of Adobe Reader, Adobe Flash and Coldfusion.
Microsoft published Fix-it 50992 which their Appcompat shim technology to neutralize the vulnerability. The Fix-it can be accessed at KB2847140
A Metasploit module has been made available for the 0-day vulnerability, which will makes it easier to convince IT managment of the robustness and applicability of the exploit.
Yesterday Microsoft published security advisory KB2847140 about an exploit for 0-day vulnerability (CVE-2013-1347) in Internet Explorer 8. The exploit is in active use in the wild, for example on the compromised website at the US Department of Labor earlier this week, Initially it was widely reported that the website was exploiting a known vulnerability in Internet Explorer to then install the remote access tool Poison Ivy.
April has turned out to be a rather slow month for Patch Tuesday. There are nine bulletins addressing a total of 13 vulnerabilities, but only two of the bulletins are rated “critical,” a category that means an attacker can get control over the targeted machine. The remaining bulletins are all rated “important,” in large part because they require the attacker to have access to the targeted machine in order to exploit the flaws.
It’s the Thursday before April’s Patch Tuesday, and Microsoft’s Advance Notice has gone live.
There are nine bulletins this month, affecting all versions of Windows, some Office and server components and also Windows Defender on Windows 8 and RT. However only two bulletins are rated “critical”.
Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 10 on Windows 8 and RT, and should be on the top of your patching efforts. It is rated “critical” and allows Remote Code Execution through today’s most common attack vector: one of your users browsing to a malicious website. Bulletin 2 is the second vulnerability, rated “critical”, and affects the Windows Operating System, except the newest versions, WIndows 8, Server 2012 and Windows RT (the tablet version).
The remaining bulletins are all rated “important” and affect Windows, the Sharepoint server, — and interestingly a security product — Microsoft’s malware scanner, Windows Defender on Windows 8 and Windows RT. The vulnerabilities addressed in these bulletins typically allow the attacker Escalation of Privilege from a normal user to an admin level user once they are already on the machine or can trick the user to open a specifically-crafted file.
In other important news, the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them, CVE-2013-1899 allows the attacker to delete database files without authentication, leading to data loss and denial of service, and they considered it important enough to warrant last week a pre-announcement of the upcoming release expected this week.
Please keep also in mind that Oracle has scheduled an extra release for Java this month. Normally Java is on a four-month release cycle: February, June and October of each year. Due to the amount and severity of recent vulnerabilities discovered, there will be an additional release that will go live on April 16th.
In terms of volume, March’s Patch Tuesday is about average, with seven bulletins — four rated “critical” and three rated “important.” In technical terms though we are seeing some interesting vulnerabilities that definitely rate higher-than-average.
Our lineup starts with MS13-021, a patch for Internet Explorer that addresses nine distinct vulnerabilities. One of the vulnerabilities (CVE-2013-1288) had an exploit out in the wild for one month, but almost nobody noticed it. It appears that while preparing a Metasploit exploit for MS13-009, which was in the February IE patch, Scott Bell inadvertently coded an exploit for another, so far unknown, vulnerability. His testing did not reveal any problems; after all, the exploit worked as desired on Internet Explorer 8 without MS13-009. Later, Venustech and Qihoo 360, both security companies located in China, noticed that the exploit still worked even against a fully patched Internet Explorer 8 and informed Microsoft of the issue. The attack vector is through a Web page that anybody with access to Metasploit can set up quite easily. You are going to want to patch this as quickly as possible.
The second vulnerability in our ranking is MS13-027, rated as only “important” by Microsoft due to the physical machine access that is required to exploit it. MS13-027 addresses a flaw in the USB driver on Windows that allows an attacker to get code execution by simply inserting a USB drive into the target machine. This method has in the past been described as the “evil maid” attack. The attack vector is broad, encompassing anybody who has access to your unattended computer, be it the janitor at your workplace, the staff at the hotel where you are staying, or anywhere somebody with physical access can insert a USB drive into your computer.
Now back to the normal vulnerabilities. MS13-022 is a patch for Silverlight, addressing three flaws that can be used to take control of both Windows and Mac OS X computers. MS13-024 is a fix for a persistent XSS vulnerability on Sharepoint, where the attacker plants code into a search query. Later when an admin reviews the queries, the code is run in the admin’s context giving full control to the attacker. The final critical vulnerability is fixed by MS13-023 in Visio Viewer, which would be triggered through a Web page containing a malicious Visio document.
Also today Adobe released APSB13-09, a new version of their Flash player, which addresses four critical vulnerabilities. Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible. Microsoft has updated KB2755801 indicating that a new IE10 will contain the updated Flash player.
In other security news, last week the PWN2OWN competition at the CanSecWest security conference produced some very clear and sobering results. It demonstrated that any of the platforms that we have in use today can be attacked successfully if enough incentive is given. Security researchers from all over the world were awarded a total of (US) $520,000 in prize money for their exploits against Java ($20,000 claimed four times), Chrome, Firefox and Internet Explorer 10 ($100,000 claimed once each), as well as Adobe Flash and Reader ($70,000 claimed once each). The targeted companies are now working on getting their products fixed, something that both Mozilla and Google addressed with the first 24 hours post PWN2OWN.
It is the beginning of March and Microsoft just published the Advance Notice for this month’s Patch Tuesday.
We will get seven bulletins next week, affecting all versions of Windows, some Office components and also Mac OS X, through Silverlight and Office. Four of the bulletins carry the highest severity rating of “critical”.
Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server.
The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.
In other security news, the ZDI’s PWN2OWN competition is currently going on at the CanSecWest security conference in Vancouver. PWN2OWN awards prizes ranging from US$ 20,000 to US$ 100,000 to security researchers who can demonstrate vulnerabilities in the following products: Adobe Flash, Adobe Reader, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Oracle Java. In yesterday’s run, prizes have been claimed for Oracle Java by James Forshaw, Oracle Java again by Joshua Drake, IE10 on Windows 8 by VUPEN, Google Chrome on Windows 7 by a team from MWR Labs, John and Nils and finally Mozilla Firefox and finally Oracle Java, both by the team at VUPEN. Today the competition continues with attacks on Adobe Reader, Adobe Flash and IE10, and is then followed by Google’s Pwnium3, which awards prizes of over US$ 100,000 for vulnerabilities in Google’s ChromeOS.
You can expect patches for these vulnerabilities to be released over the coming weeks. We will keep you updated here, so stay tuned.