It is Windows 10 first Patch Tuesday and 40% of the August bulletins for generic Windows apply to the newest version of the operating system: Windows 10. In addition there is an exclusive bulletin for the new browser Microsoft Edge, the leaner and faster replacement for Internet Explorer that addresses three critical vulnerabilities. Windows 10 fares a bit better than WIndows 8, which had 60% in its first two months, where three out of five bulletins were applicable. From a security perspective Windows 10 brings much improvement and we are curious to see how the acceptance of Windows 10 will play out, especially comparing the enterprise side and consumer side. On the Enterprise level we think the Virtual Secure Mode that takes credential hashes out of the Windows kernel the biggest advance, while for the consumer it is the new patching schedule, which basically keeps Windows always updated with the latest updates.
In terms of volume, March’s Patch Tuesday is about average, with seven bulletins — four rated “critical” and three rated “important.” In technical terms though we are seeing some interesting vulnerabilities that definitely rate higher-than-average.
Our lineup starts with MS13-021, a patch for Internet Explorer that addresses nine distinct vulnerabilities. One of the vulnerabilities (CVE-2013-1288) had an exploit out in the wild for one month, but almost nobody noticed it. It appears that while preparing a Metasploit exploit for MS13-009, which was in the February IE patch, Scott Bell inadvertently coded an exploit for another, so far unknown, vulnerability. His testing did not reveal any problems; after all, the exploit worked as desired on Internet Explorer 8 without MS13-009. Later, Venustech and Qihoo 360, both security companies located in China, noticed that the exploit still worked even against a fully patched Internet Explorer 8 and informed Microsoft of the issue. The attack vector is through a Web page that anybody with access to Metasploit can set up quite easily. You are going to want to patch this as quickly as possible.
The second vulnerability in our ranking is MS13-027, rated as only “important” by Microsoft due to the physical machine access that is required to exploit it. MS13-027 addresses a flaw in the USB driver on Windows that allows an attacker to get code execution by simply inserting a USB drive into the target machine. This method has in the past been described as the “evil maid” attack. The attack vector is broad, encompassing anybody who has access to your unattended computer, be it the janitor at your workplace, the staff at the hotel where you are staying, or anywhere somebody with physical access can insert a USB drive into your computer.
Now back to the normal vulnerabilities. MS13-022 is a patch for Silverlight, addressing three flaws that can be used to take control of both Windows and Mac OS X computers. MS13-024 is a fix for a persistent XSS vulnerability on Sharepoint, where the attacker plants code into a search query. Later when an admin reviews the queries, the code is run in the admin’s context giving full control to the attacker. The final critical vulnerability is fixed by MS13-023 in Visio Viewer, which would be triggered through a Web page containing a malicious Visio document.
Also today Adobe released APSB13-09, a new version of their Flash player, which addresses four critical vulnerabilities. Flash users on Windows, Mac OS X and Android are affected and should update as quickly as possible. Microsoft has updated KB2755801 indicating that a new IE10 will contain the updated Flash player.
In other security news, last week the PWN2OWN competition at the CanSecWest security conference produced some very clear and sobering results. It demonstrated that any of the platforms that we have in use today can be attacked successfully if enough incentive is given. Security researchers from all over the world were awarded a total of (US) $520,000 in prize money for their exploits against Java ($20,000 claimed four times), Chrome, Firefox and Internet Explorer 10 ($100,000 claimed once each), as well as Adobe Flash and Reader ($70,000 claimed once each). The targeted companies are now working on getting their products fixed, something that both Mozilla and Google addressed with the first 24 hours post PWN2OWN.