The final set of Patch Tuesday updates for 2013 sees Microsoft deliver 11 patches, with five updates rated as Critical ─ one exceptionally so ─ and the remaining six rated as Important. Interestingly, all five Important updates for December relate to Remote Code Execution vulnerabilities. And, though we have old favorites among the Important updates ─ Remote Code Execution, Elevation of Privilege, Information Disclosure ─ we have a new vulnerability rated by Microsoft as “Security Feature Bypass.”
Before we start with this month’s updates, I should mention that Microsoft released two security advisories since its November Patch Tuesday cohort of patches. The first advisory concerned an Elevation of Privilege vulnerability in Windows XP and Server 2003 through an “in the wild” exploitation of the kernel driver NDProxy.sys. The second advisory (released on Dec. 9) related to improperly used certificates that could result in identity spoofing. Customers with operating systems later than Microsoft Vista (e.g., Windows 7 and 8.x) don’t need to take any action because these systems employ an automatic certificate update mechanism. Unfortunately, if you are running Windows XP or Server 2003, there is no fix available from Microsoft.
Back to December’s patches, the first Critical update, MS13-096, deals with a zero-day exploit in the GDI+ graphic component in Windows. According to Haifei Li of McAffee Labs, this security issue could allow attackers full control over a compromised machine through a specially crafted image file (TIFF image file), as demonstrated in an embedded image in a Microsoft Word document. This vulnerability affects Microsoft’s Vista, Server 2008 and older versions of Office, including Office 2003 and 2010. Importantly, Office compatibility packs and viewers are affected. If you are running modern operating systems such as Windows 7/8.x and the latest version of Microsoft Office, you are reportedly not affected by this security issue or patch.
The second Critical update for December relates to the resolution of seven privately discovered vulnerabilities in Microsoft’s Internet Explorer (IE). This patch, MS13-097, affects versions of IE from 6 all the way to the most recent release, version 11, and relates to two vulnerabilities reported as Elevation of Privilege, and five others related to memory corruption issues in Microsoft’s browser. Though this vulnerability is rated as Critical by Microsoft, an attacker would have to wait until a user actually clicked on a specially crafted web-object and would only result in having the same level of privileges as that user. In addition, server operating systems from Microsoft would normally be operating in Enhanced Security Configuration mode, which would significantly reduce the scope and impact of this security issue. If you are running Windows 2008 or 2012 Server Core, this vulnerability and patch will not affect you. This is because IE is not installed/configured on the Core versions of Microsoft Server operating systems.
The third Critical update for December, MS13-098, affects ALL Microsoft operating systems. Quite unusually, this reported vulnerability is applicable to all supported releases of Windows desktop and server operating systems. The security update addresses a reported vulnerability affecting how the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable files. Yep, all versions of Microsoft Windows server and desktop operating systems ─ including 8.1 and Windows RT ─ are affected. Every single platform from Microsoft can be compromised by a specially crafted PE file (to you and me that means an EXE file) that will enable an attacker to take complete control over the compromised machine. Quoting from the Microsoft Security bulletin:
"A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for portable executable (PE) files. An anonymous attacker could exploit the vulnerability by modifying an existing signed executable file to leverage unverified portions of the file in such a way as to add malicious code to the file without invalidating the signature. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
If ever there was a “PATCH NOW” button on your keyboard, this is it.
The fourth Critical update relates to a core component contained within both desktop and server platforms from Microsoft, the Microsoft Scripting Engine. Patch Tuesday update MS13-099 affects versions 5.6, 5.7 and 5.8 of the scripting and automation engine. This means that all Windows desktop and server operating systems are affected by this Remote Code Execution vulnerability, which can be exploited by an attacker who leads a user to click on a specially crafted web page. Administrators should note that the Microsoft Scripting engine is included in RT versions,and this vulnerability is a concern across both 32- and 64-bit platforms. At present, Microsoft does not offer a work-around or offer any mitigating factors.
The fifth Critical update for December’s Patch Tuesday concerns Exchange Server. Microsoft update MS13-105 relates to how documents and emails are handled, and attempts to resolve a Remote Code Execution vulnerability in the Web Ready document and Data Loss Prevention features in Exchange Server. To reduce the exploit potential for this vulnerability, Microsoft recommends that you place both these services under the security context of the LocalService account on the target server.
In addition to these five Critical updates for December, Microsoft also has included six other updates rated as Important. MS13-100 relates to a Remote Code Execution vulnerability in SharePoint server, while MS13-101 relates to an Elevation of Privilege issue with Windows desktops. MS13-103 deals with another Elevation of Privilege issue with ASP.NET, and MS13-104 relates to a security issue in Office that could lead to Information Disclosure over the internet.
The final update from Microsoft is a rare beast. MS13-106 attempts to address a vulnerability in Office that could lead to a Security Feature bypass. Using a specially crafted web page, an attacker could bypass Microsoft’s much-vaunted security component, the Address Space Layout Randomization (ASLR) feature. Microsoft describes ASLR as,
“ASLR randomizes the memory locations used by system files and other programs, making it much harder for an attacker to correctly guess the location of a given process."
ASLR and its cousin DEP were a core component of the revised and much improved security model offered by Microsoft’s Vista desktop operating system, and has been included in all subsequent server and desktop systems. This is a pretty complex attack, however; a user cannot be exploited by this vulnerability by merely reading an email. You actually have to click on the attachment ─ which is something that I never do any more on a Windows platform.
That’s what my iPhone is for.
This article is published as part of the IDG Contributor Network. Want to Join?