I had lunch today at a great little Cajun restaurant in Chicago called Heaven on Seven, so named because it happens to be on the seventh floor of a large office building. (If you go, get the gumbo) Of course purely by coincidence we happen to have exactly seven bulletins from Microsoft this month. (At least there aren’t as many bulletins as Heaven on Seven has hot sauces. They have 1320 of them!)
While it may not be a great start to the New Year only seven bulletins isn’t that bad, historically speaking. Although when you add in the recent Internet Explorer 0-day vulnerability things aren’t looking much better in 2013 than they did in 2012. While there are two ‘critical’ patches this month, and five ‘important’ ones, none of them cover the recent zero-day vulnerability discovered two weeks ago. Microsoft has issued a Fix-It for the zero-day vulnerability in Internet Explorer however a bypass for the Fix-It has already been published, which means that people who are still using Internet Explorer 6, 7 or 8 will still be vulnerable until probably next months patch Tuesday. In the meantime they may feel like they are using a browser that is as hot as Mad Dog 357 Ghost pepper sauce! Of course if you can’t wait until next months patch Tuesday you could also just update your browser to Internet Explorer 9 or 10 or Chrome or Firefox and remove the burning from your mouth.
This months bulletins seem to be pretty evenly spread around with three in Microsoft Windows, one in XML Core Services, one in System Center Operations Manager (SCOM), one in .NET and one in OData Services. In all the seven bulletins cover just twelve CVEs . The two critical bulletins are MS13-001 which is in the print spooler of all places and MS13-002 in MSXML.
Remote Code Execution in Windows Print Spooler
This only impacts Windows 7 and Server 2008 R2. If the print server receives a specially crafted print job it could allow remote code execution. Almost like the specially crafted Bourbon Street Really Bad hot sauce will remotely execute a fire in your mouth! If you are running Server 2008 R2 and are looking for this update in Windows Update to put out that fire and not finding it, it may be because your server is not configured as a Printer-ServerCore-Role. This vulnerability was reported privately to Microsoft and so hasn’t been seen in the wild yet, but specially crafted Bourbon Street Really Bad hot sauce is in the wild so apply those patches as soon as you can.
Remote Code Execution in Microsoft XML Core Services
While not impacted it self Internet Explorer is used as the attack vector for this vulnerability. By tricking a visitor to visit a specially crafted web page XML Core Services will incorrectly parse certain XML content resulting in remote code execution. Just about everything uses XML core services including XP SP3 to Windows 8 and RT as well as Server 2008, some installations of MS Office, Sharepoint and even Groove Server. Luckily Island Groove Jamaican Hot Sauce is not vulnerable! While there is only one Island Groove Jamaican Hot Sauce you may be offered more than one version of this patch depending on which versions of XML Core Services you have installed.
Elevation of Privilege in System Center Operations Manager
You might wonder just what the hell is System Center Operations Manager just like you might wonder just how hot Tears of Fire Hot Sauce really is. While MS13-003 will elevate your privileges will you really have tears of fire after tasting Tears of Fire Hot Sauce? If you are not familiar with it SCOM allows you to manage multiple hypervisors in a cloud management platform. Again the issue is exploited by first visiting a specially crafted web page, perhaps with a link in a phishing email, a watering hole attack or even a compromised advertisement on a web page. The attacker can then use a cross-site scripting (XSS) vulnerability to inject a client side script into the users browsers allowing the attacker to take any action allowed by the users level of access.
Elevation of Privilege in .NET Framework
CVE-2013-0002 CVE-2013-0003 CVE-2013-0004
Texas Tongue Three Pepper Hot Sauce says it uses three different peppers just like this bulletin covers three different CVEs. The most severe CVE of this bunch could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs) or it can also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. The security updates addresses how .Net handles items in memory including array sizes and object permissions. Texas Tongue Three Pepper Hot Sauce on the other hand just makes your food taste hot.
Denial of Service in open Data Protocol
Don’t confuse a kernel-mode driver with Colonel Coopers Mile High Hot Sauce, one tastes yummy, the other allows elevation of privilege. Windows kernel-mode driver handles window broadcast messages, which is how Windows communicates to various applications. An attacker needs to be able to logon locally to a system in order to take advantage of this flaw. If this vulnerability is successfully exploited an attacker could take complete control of a system; only limited by a users level of access, another reason not to run as admin all the time.
Security Feature Bypass
This is only rated important and with a description of ‘Security Feature Bypass’ you might not realize that it’s actually vulnerability in the implementation of SSL and TLS in Microsoft Windows. Just like the name Inner Beauty Sauce might fool you as to the effects of the contents in the bottle this description might fool as to the severity of this bulletin. An attacker could use this flaw to inject specially crafted content into an SSL/TLS session and cause the SSL connection to downgrade from SSLv3 to SSLv2.
Denial of Service in open Data Protocol
The Open Data Protocol (OData) is a Web protocol for querying and updating and provides access to information from a variety of applications, services, and stores. However Microsoft’s version could allow a denial of service if an unauthenticated attacker sends a specially crafted HTTP requests to an affected site. You will need this update if you have .NET installed or the Management OData IIS Extension on Server 2012. The patch fixes the vulnerability by turning off the WCF Replace function by default. If you can’t apply the patch you could try blocking ports at your firewall but OData usually uses ports 80 and 443 so that probably won’t work. You could also try turning on authentication for clients connecting via IIS but that would probably be a major pain for your users, just install the patch.
Now, go grab one of your favorite hot sauces, or just get some Tabasco if you can’t find your favorite (or maybe Tabasco is your favorite), get some grub to put the sauce on and fire up Windows Update and get installing those patches.