The first Patch Tuesday of 2013 started with a relatively normal rhythm. We are getting seven bulletins, with two bulletins considered "critical" and five bulletins "important." The one thing upsetting this normal balance is a current 0-day vulnerability that affects Internet Explorer 6, 7 and 8 — which represents 90% of the IE install base at this time — but which is not part of the Patch Tuesday release. It was initially reported by FireEye on December 28 and the exploit has since made it into a Metasploit module and at least one Exploit kit. While Microsoft is not providing a patch today, they have provided a Fix-It for the issue, which addresses the known attacks in the wild, and also counters the Metasploit module. However, as Exodus Intelligence pointed out over the weekend, there are other ways of triggering the vulnerability that have not been covered by the Fix-It. IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8. And admins should apply the Fix-It even though it can be bypassed because it addresses the currently known attacks
Back to January’s bulletins, where MS13-002 is the most important patch in the lineup. It addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such a Sharepoint and Groove. The most likely attack vector is a malicious webpage. But an email with Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.
MS13-001, the second critical vulnerability, is in the Microsoft Windows Printer spooler software on the client side. It is located in a part of the spooler that provides extended functionality, and is not exercised by any Windows software, only by third-party software. The necessity of third-party software and the combination of the steps and events necessary to exploit this vulnerability makes us rank it on a lower level than MS13-002. Microsoft has a good post at the SRD blog explaining the components involved.
All the other bulletins are ranked as "important" as they do not allow code execution:
- MS13-004 addresses several .NET issues, but attacks are limited to the Intranet context and cannot be initiated from the Internet lowering the risk of this bulletin.
- MS13-005 fixes a flaw in the win32k.sys kernel module that weakens the AppContainer sandbox in Windows 8. By itself it is not a critical flaw, but could be used in conjunction with other vulnerabilities to attack a Windows 8 system.
- MS13-006 prevents a protocol attack on SSL v3 that can happen when a Microsoft browser communicates with a third-party web server. An attacker that controls a network device in between the browser and server could downgrade communication to SSL v2. The attacker could then exploit any of the common flaws in SSLv2, ultimately eavesdropping on the communication.
In addition to the Microsoft patches, there is new software coming from Adobe as well. Adobe announced a new version of their Adobe Reader and Acrobat software – APSB13-02. The advisory applies to Windows, Mac OS X and Linux. Microsoft also updated security advisory KB2755801 for Internet Explorer 10, because it includes a new Adobe Flash build, and IT admins should look at the standalone Adobe Flash APSB13-01 release, as well. Adobe has also published advisory APSA13-01 for three ColdFusion vulnerabilities. The advisory provides information for workarounds, while Adobe is working on a patch.
Overall we are looking at a pretty normal Patch Tuesday, with the main worry for IT administrators centered on the Internet Explorer situation and its potential workarounds. One interesting option is to look at Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which has a number of additional mitigation steps that can be applied to Internet Explorer. EMET is effective in preventing the current 0-day and has worked the same way against the last IE 0-day in September, too. I have been running EMET for 6 months now with no side effects – highly recommended as an additional security measure.