The big news this month in Microsoft’s Active Protections Program, other than the eight new bulletins, is the expansion of the MAPP program. First Microsoft will be giving select companies like Trustwave a few extra days of advance notification for the upcoming month of bulletins so that we have a little extra time to develop protections for our customers before the bad guys can reverse engineer the patches and come out with exploits. This will further increase the time frame between Patch Tuesday and Exploit Wednesday. Second the program will offer a feed of sorts of malicious URLs, file hashes, incident data and relevant detection guidance to response companies, CSIRTs, ISACs, and security vendors. And third Microsoft will be offering company’s who are partners in the program access to a content vulnerability scanner to scan Office documents, PDF files, Flash movies, and suspect URLs in the ‘cloud’. Considering that the MAPP program is almost five years old and has changed very little in that time these are welcome expansions to the program.
As for the eight bulletins this month, there are three critical ones that each includes remote code execution. That includes Internet Explorer, XP and Server 2003 and Exchange Server, which doesn’t get much more critical. The rest are rated Important and consist of two Elevation of Privilege, two Denial of Service and one Information Disclosure. All five of them impact various parts of Windows itself. Interesting that this month there doesn’t seem to be any Office, SharePoint, or other application level patches.
Start scheduling those reboots, your going to need them this month!
Remote Code Execution in Internet Explorer
CVE-2013-3188 CVE-2013-3189 CVE-2013-3190
CVE-2013-3191 CVE-2013-3193 CVE-2013-3194 CVE-2013-3199
There are eleven CVEs fixed in this update. Most of them are memory corruption issues. At least one of which could allow remote code execution if a user views a specially crafted webpage using Internet Explorer and lets face it getting a user to visit a “specially crafted web page” isn’t all that difficult these days. This is a critical update if you are using IE on a Windows client and only Moderate if you are running Windows Server. These even impact IE 11 Preview and 8.1 RT Preview. If you are keeping score, CVE-2013-3199 seems to be the worst of the bunch. Microsoft says that exploit code is likely within thirty days which, considering how much attackers love to use IE, I think is probably a safe bet. (Restart #1)
Remote Code Execution in Unicode Scripts Processor
The Unicode Scripts Processor is the Microsoft Windows set of services for rendering Unicode-encoded text, especially complex text layout. In this case a remote code execution could occur if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. This pretty much only impacts Windows XP and Server 2003. It is possible to mitigate this vulnerability without applying the update by setting a custom level in the Security Tab of Internet Options and forcing the system to prompt or disable Font Downloading Security Setting but it is a lot easier to just apply the patch. (Restart #2, maybe)
Remote Code Execution in Microsoft Exchange Server
CVE-2013-3781 CVE-2013-3776 CVE-2013-2393
While Microsoft correctly lists these vulnerabilities as impacting Exchange Server the real issue is in the included Oracle Outside In Libraries and affect the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. An attacker can take advantage of these if a user previews a specially crafted file using Outlook Web App (OWA). While these vulnerabilities have already been publicly disclosed they have not yet been seen in the wild and Microsoft does not expect exploit code to be written for these anytime soon. (Restart unlikely)
Elevation of Privilege in Remote Procedure Call
A Remote Procedure Call is basically a common library that allows a client and server to communicate. In this case the way Microsoft Windows handles asynchronous RPC messages could be used by an attacker and result in an Elevation of Privilege. Microsoft does expect exploit code to be written for this one pretty soon so apply those patches, but be sure you get the right one, there are different packages depending on what version of Windows you are running, just turn on Automatic Updates and let the system figure out which one you need. (Restart #3)
Elevation Privilege in Windows Kernel
CVE-2013-2556 CVE-2013-3196 CVE-2013-3197 CVE-2013-3198
This vulnerability requires a specially crafted application in order to be exploited which means an attacker must have valid logon credentials and be able to log on locally in order take advantage of this flaw. The primary issue here is how the Windows kernel validates memory address values to disrupt the integrity of Address Space Layout Randomization. ASLR is used to prevent an attacker from reliably jumping to a particular memory address as in the case of a buffer overflow. The particular section of the Windows kernel impacted here is the NT Virtual DOS Machine (NTVDM) that contains a memory corruption issue fixed by this patch. You could try disabling the NTVDM via group policy or by editing the registry but it would be a lot easier to just apply the patch. (Restart #4)
Denial of Service in Windows NAT Driver
As the name suggests the Windows NAT Driver provides network address translation in Windows. A specially crafted ICMP packet could cause memory corruption forcing the target system to stop responding until it is restarted. (Restart #5)
Denial of Service in ICMPv6
Considering that the CVEs for MS13-064 and MS13-065 are only one digit off and that they both involve ICMP these are probably very closely related vulnerabilities. This vulnerability is caused when the TCP/IP stack does not properly allocate memory for incoming ICMPv6 packets and like M13-064 a specially crafted ICMP packet could cause memory corruption forcing the target system to stop responding until it is restarted. (Restart #6)
Information Disclosure in Active Directory Federation Services
Active Directory Federation Services (AD FS) allows the secure sharing of identity information between trusted business partners (known as a federation under Active Directory) across an extranet. This vulnerability could reveal information pertaining to the service account used by AD FS. An attacker could then attempt logons from outside the corporate network, which could result in account lockout of the service account used by AD FS. This would result in denial of service for all applications relying on the AD FS instance and reveal information pertaining to the service account. (Restart #7)
Phew, that’s seven restarts! Well, if you do it the right way anyway, and by the right way I mean install one patch, restart, test, and then install the next patch. Of course most sys admins I know might test them all on a non-production server and then install them all at once in production and restart once. Up to you, but if you really want to live dangerously just skip the testing and go straight to production! Live on the edge baby!