Saint Patrick’s day is quickly becoming Saint Patrick’s week. Some cities have scheduled their parade a week earlier than the actual day, which I guess means an extended period of green beer. Hopefully the luck of Irish is with you this month as Microsoft rolls out seven bulletins that may impact your systems. If they attackers get lucky they could end up execute arbitrary remote code so grab your lucky charm and apply these patches as soon as you can so you go grab some of that green beer before it is all gone.
Remote Code Execution in Internet Explorer
CVE-2013-0087 CVE-2013-0088 CVE-2013-0089 CVE-2013-0090
CVE-2013-0091 CVE-2013-0092 CVE-2013-0093 CVE-2013-0094
This bulletin covers nine CVE’s, which isn’t as many snakes as St. Patrick drive out of Ireland but is still quite a lot. Eight of these where reported privately to Microsoft but one of them, and we suspect the one that is out of CVE numerical order, was publicly disclosed. As we suspected last week all of them are use after free vulnerabilities in various parts of Internet Explorer. Use after Free has been pretty popular over the last few month and we suspect we will see more of these in the near future. If a user views a specially crafted web page it could result in remote code execution. Despite the public disclosure of one of these CVEs they haven’t been seen being exploited in the wild, yet. However, Microsoft does expect to see exploit code for some or all of these in the near future.
Remote Code Execution in Silverlight
This is a Null Pointer Dereference Vulnerability does not unfortunately point to a pot of gold. This is something you usually see in Linux and not so often in Windows, at least not since the introduction of function pointer encoding in XP SP2. This one could require a little social engineering to exploit. By convincing a user to visit a website that hosts specially crafted content attackers could take advantage of this vulnerability to execute arbitrary code. This could come by way of a link in a spam email, an IM, a targeted phishing attack or even a watering hole attack on a compromised website. Both Mac and Windows versions of Silverlight 5 are vulnerable, but not the current build 5.1.10411.0, which already addresses this vulnerability and is not impacted. Microsoft does expect exploit code to be developed for this fairly soon so it is best to allow auto update to do its thing and install the patch.
Remote Code Execution in Visio Viewer
Leprechauns like to play tricks and it looks like they tricked us here. Last week we thought this bulletin would be related to MS13-026 but it looks like the jokes on us as this one only impacts Visio Viewer 2010. You may be offered this update even if you don’t have Visio Viewer installed. The flaw here exists in a shared component with MS Office, the component is present in Office so the update will be offered to all Office users even if they don’t have Visio Viewer installed.
Elevation of Privilege in SharePoint
CVE-2013-0080 CVE-2013-0083 CVE-2013-0084 CVE-2013-0085
A four-leaf clover is considered pretty lucky but these four CVEs are not. These four CVE’s cover just about everything, from a Callback Function, XSS, Directory Traversal and even a good old fashioned Buffer Overflow vulnerability. The most severe of which could allow an elevation of privilege if a user visits a targeted SharePoint site, but only if the user is running SharePoint 2010 SP1 or SharePoint Foundation 2010 SP1. Other versions of SharePoint do not appear to be impacted.
Information Disclosure in OneNote
If you are running the latest version of OneNote, OneNote 2013, or a really old version like 2003 or 2007 or even the WebAps 2010 version you don’t need to worry about this bulletin but if you are running OneNote 2010 SP1 32 or 64 bit then you will need this patch. If you don’t install the patch an attacker could convince you to open a specially crafted OneNote file, perhaps one promising you a kiss since your Irish, causing a buffer size validation issue and allowing them to read arbitrary data.
Information Disclosure in Outlook for Mac
You don’t usually see Mac Office vulnerabilities by themselves, which is why last week we thought this one might be related to MS13-023 in Visio, looks like we wrong on that one. This one impacts both MS Office for Mac 2008 and 2011 and revolves around how Outlook for Mac loads specific content tags in an HTML5 email message. An attacker could use a specially crafted HTML email message to load content without user interaction allowing an attacker to know that a specific email was read and that the email account is valid. After applying this update Outlook will ask a user if they are sure they want to download external content. If you want to be lucky make sure your horseshoe is pointed up so the luck doesn’t run out while you install this update.
Elevation of Privilege in Kernel Mode Drivers
CVE-2013-1285 CVE-2013-1286 CVE-2013-1287
All three of these are USB descriptor vulnerabilities, which if successfully exploited could result in an Elevation of Privilege for the attacker. The flaw exists in all supported versions of Windows from XP SP2 up to Server 2012. Since the problem exists in the USB drivers you could try to prevent users from using USB devices, which these days would probably mean taking away their keyboard and mouse. If a user does insert a USB device that can take advantage of this flaw it may sprout roots and grow just as St. Patrick’s staff. It would be a lot easier to just apply this update. Microsoft does expect exploit code to be developed for this flaw pretty quickly, so again, apply the update.