February 2013 Patch Tuesday

The second Patch Tuesday of 2013 has a much higher volume than usual. There are 12 bulletins, five of which are critical, addressing a total of 57 vulnerabilities. But the majority are concentrated in two bulletins, one covering Internet Explorer (IE), the other one the Windows Kernel driver win32k.sys.

The two bulletins affecting IE are the highest priority. One of them, MS13-009, is referred to as the "core" IE update by Microsoft because it addresses a number of vulnerabilities directly in IE. It covers 13 bugs with all but one of them being Remote Code Execution vulnerabilities that can be used by an attacker to gain control over a user’s machine via drive-by-download. That type of attack is common and is easily accomplished by surreptitiously installing malware on a Web surfer’s computer when he or she visits a page with malicious code on it.

The second bulletin also affecting IE, MS13-010, addresses a vulnerability in an ActiveX Dynamic-Link Library (DLL). It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild. The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics. VML has been patched twice before in 2007 and 2011 and it would probably be safest to delete it altogether, but there does not seem to be a way to do this short of disabling all ActiveX processing. Both IE updates, core and VML, should be installed as quickly as possible.

Speaking of patching quickly: after last week’s Flash release from Adobe to address two 0-day vulnerabilities, today they released again a new version (APSB13-05) of its Flash plug-in, this time addressing 17 vulnerabilities. Users of IE 10 and Google Chrome will get updated automatically, because these two browsers integrate Adobe Flash in their sandboxes. By the way, Qualys' free MS13-012. It addresses vulnerabilities in the popular Outlook Web Access (OWA) component of Microsoft Exchange caused by the inclusion of the Oracle Outside-In libraries in Exchange. Attackers could exploit this vulnerability by sending a malicious document to a user. If the user opens it through OWA, the act of rendering the document infects the mail server as it uses the vulnerable libraries. It is not the first time that the Oracle libraries have caused this problem in Exchange, and attackers might be quick in exploring this vulnerability. As a result, we recommend to schedule a patch as quickly as possible.

Here are a couple of other updates of note:

• MS13-020 is a critical bulletin that affects only installations of Windows XP, which is on its way to becoming obsolete. If you are still running XP, you should make this patch a high priority and start planning for its replacement as its end-of-life is set for April 2014.
• MS13-011 is the last critical bulletin and fixes an issue in Windows that can only be exploited when a certain codec popular in Asian countries is installed. There is public PoC code available, so if you are in the target group you should prioritize accordingly.
• MS13-016 is where the bulk of this month vulnerabilities reside. Security researcher j00ru from Google reported 30 new vulnerabilities in a Microsoft kernel driver, all of which can be used to gain system privileges on a machine that the attacker already has some control over. BTW, j00ru is also on the team that is credited with 15 vulnerabilities found in Adobe Flash.