Back to Home

Microsoft released another set of updates, June 2013 / ESET NOD32 Blog

windows update · CVE-2013-3660 · patchtuesday

Microsoft released the next set of updates, June 2013

    Microsoft announced the release of a series of patches aimed at fixing vulnerabilities in their products. The security fixes announced earlier in the pre-release (June 6) cover a total of 23 unique vulnerabilities (one fix with Critical status and 4 with Important status). Detailed report (including corrections of corrections with CVE ID) can be found here .

    Critical update MS13-047 targets vulnerabilities like Remote Code Execution, which are present in all versions of Internet Explorer, starting from the 6th version and ending with the latest IE 10 (for all Windows XP - 8 - RT, x32 and x64, for server versions of the OS like Moderate). To apply the fix, you need a reboot. In addition to Internet Explorer, OS components of various versions and the latest version of Microsoft Office 2011 for Mac were updated.

    The company releases security fixes for its products every second Tuesday of the month with two-stage announcement. A few days before the release of the updates themselves, the minimum information is posted, which includes information about the updated products, a list of updates that will be delivered, and the types of vulnerabilities that need to be fixed. The immediate release of the updates themselves is accompanied by the publication of extended information, such as Exploitability Index , correctable product components, exploitation technique.

    Last month was marked by debate between Google and Microsoft on the timing of disclosure of information about 0day vulnerabilities.



    Commented Artem Baranov , ESET analyst in Russia:
    It should be noted that this set of updates contains the least number of patches than all the others that the company released this year. At the same time, we again see an update that eliminates the cross-IE vulnerability, i.e., a vulnerability that is present in all versions of the browser and is of type Remote Code Execution. Last month, the company closed a similar vulnerability (use-after-free) in the IE8 browser, which was used to install the Poison Ivy RAT on computers of US government employees.

    This month we did not see a fix for CVE-2013-3660, a vulnerability such as Elevation Of Privelege, which could elevate user privileges to the system level on all versions of the OS, starting with NT and ending with Windows 8. Details of this vulnerability with exploitation code were published in last month by a researcherTavis Ormandy ( @taviso ) from the Google Security Team. The vulnerability allows you to load arbitrary code into the system address space with its subsequent execution, bypassing the restrictions imposed by the OS.




    Note that the disclosure of the way to exploit the 0day vulnerability, with the publication of working code, has caused controversy in the security community. In particular, Google posted on its blog about the deadline for disclosing information for the 0day vulnerability, which has the status of is-being-exploited-in-the-wild:

    Our standing recommendation is that companies should fix critical vulnerabilities within 60 days - or, if a fix is ​​not possible, they should notify the public about the risk and offer workarounds. We encourage researchers to publish their findings if reported issues will take longer to patch. Based on our experience, however, we believe that more urgent action - within 7 days - is appropriate for critical vulnerabilities under active exploitation. The reason for this special designation is that each day an actively exploited vulnerability remains undisclosed to the public and unpatched, more computers will be compromised.
    ... As a result, after 7 days have elapsed without a patch or advisory, we will support researchers making details available so that users can take steps to protect themselves.

    Our recommendation [ regarding the timeframe for fixing the vulnerability ] to companies is that they should fix critical vulnerabilities within 60 days, otherwise companies should notify the public of emerging risks and propose workarounds to solve the problem. We recommend that the reviewers publish the results of their research if the release of the correction takes more than this time. However, based on our experience, we believe that in case of critical vulnerabilities that are already at the stage of active exploitation, this correction period should not exceed 7 days. The reason for this special measure is the fact that the 0day vulnerability, which is not disclosed to the public and exploited every day, leads to the compromise of a large number of systems.
    ... As a result, if after 7 days the vulnerability remains not closed, we will support researchers who intend to publish details for the public, allowing, thus. users take their own steps to protect their systems.

    Demonstration of the exploit [ personal video Xylit0l ] www.youtube.com/watch?v=z99Flb9WguU .


    General list of updates and products.


    The other four updates, marked Important, are aimed at resolving vulnerabilities in the OS and Microsoft Office.

    The MS13-048 update resolves vulnerability CVE-2013-3136 on 32-bit versions of the OS, starting with Windows XP SP3 and ending with Windows 8. The vulnerability that is fixed is of the Information Disclosure type and belongs to the OS kernel. As a result of successful exploitation, an attacker can gain read access to memory accessible from kernel mode. Exploit code unlikely.

    The MS13-049 update addresses the vulnerability type CVE-2013-3138Denial of Service on Windows 8, Server 2012, RT, and also for Windows Vista, Seven as Moderate. The TCP / IP protocol driver tcpip.sys is corrected, which may incorrectly process packets during a TCP connection, which may lead to the entire system freezing. Exploit code unlikely.

    The MS13-050 update addresses the CVE-2013-1339 vulnerability of the Elevation of Privilege type in the OS starting from Windows Vista and higher and applies to the Print Spooler service. Exploit code likely.

    Update MS13-051aims to address the vulnerability CVE-2013-1331 in Microsoft Office (Remote Code Execution). The old version of Office 2003 and the latest version for Mac, Microsoft Office for Mac 2011, are subject to correction. The vulnerability is related to buffer overflow when opening a specially crafted file. Has the status of is-being-exploited-in-the-wild. Exploit code likely.

    The following is a breakdown of the operational capability levels used by MS in the definition of the Microsoft Exploitability Index.



    1 - Exploit code likely The
    probability of exploiting the vulnerability is very high, attackers can use the exploit, for example, to remotely execute code.

    2 - Exploit code would be difficult to build
    The likelihood of exploitation is average, since attackers are unlikely to be able to achieve a sustainable exploitation situation, as well as due to the technical features of the vulnerability and the complexity of the exploit development.

    3 - Exploit code unlikely The
    probability of exploitation is minimal and attackers are unlikely to be able to develop successfully working code and use this vulnerability to conduct an attack.

    We recommend that our users install updates as soon as possible and, if you have not already done so, enable automatic delivery of updates using Windows Update (this option is enabled by default).


    be secure.

    Read Next