The holiday season is in full swing in the U.S. and most parts of the world, and that means IT pros are busier than ever this month, under pressure to get all the servers and clients that connect to them updated before taking some time off (if they’re lucky) to celebrate the season with family and friends. Many of us may have secretly had on our wish lists the hope that December would bring fewer patches than usual, but we’ll have to settle for something else. Last year we got a fairly light slate of 7 patches, but this year too many of us must have been naughty, because the Microsoft update elves have been working overtime and have gifted us with 11 of them.
As reported in our Advanced Notification summary last week, the vulnerabilities address include a mixed bag of remote code execution, elevation of privileges, information disclosure and a mysterious (until now) “security bypass” vulnerability. We’ll take a look at each of today’s security bulletins individually and pull out the most pertinent information for you, to try to help you assess the impact of each on your organization’s network.
As usual, we’ll start with those updates that are rated critical. For more detailed information, see the linked bulletin summary on the Microsoft TechNet web site.
MS13-096 (KB2908005) Affects supported versions of Windows Vista, Server 2008 (including Server Core installations), and Microsoft Office 2003, 2007 and 2010, as well as the Office Compatibility Pack SP3 and the Microsoft Word, Excel and PowerPoint Viewer software. Microsoft Lync 2010 and 2013 are also affected. Other versions of Windows (XP, Windows 7, Windows 8/8.1, Windows RT and Server 2003, 2008 R2 and 2012) are not affected. Office 2013 and 2013 RT and all other versions of Microsoft communications platforms other than the two versions of Lync are also not affected.
The critical rating applies to both the Windows client and server operating systems and Office applications. The update is rated important for Lync.
This update addresses one vulnerability in Windows, Office and Lync that had previously been publicly disclosed. It’s the infamous zero-day vulnerability that I wrote about last month, which is caused by the way TIFF files were handled by the named versions of Windows, Office and Lync and can be exploited to remotely run code if a user views a malicious TIFF file. The update corrects that process so that memory corruption of the graphics component can no longer be exploited.
MS13-097 (KB2898785) Affects Internet Explorer versions 6, 7, 8, 9, 10 and 11 on all current supported Windows operating systems with the exception of server core installations. The critical rating applies generally to IE on Windows clients, with the rating downgraded to important or moderate on Windows servers.
This update addresses seven different vulnerabilities in the IE web browser that were privately reported by members of Context Information Security, HP’s Zero Day Initiative, OUSPG and Palo Alto Networks. Vulnerabilities could be exploited to gain the same rights as the currently logged on user and potentially to remotely run code, if a user views a malicious web page in IE.
The update fixes the problems by changing the method by which IE handles objects in memory and by requiring additional permission validations in IE.
MS13-098 (KB2893294) Affects all supported versions of the Windows operating system (XP, Vista, Windows 7, 8/8.1 and RT, Server 2003, 2008, 2008 R2, 2012 and 2012 R2), including server core installations. Basically, if you’re running Windows, you need this update and it’s rated critical for all supported Windows releases.
The update addresses one vulnerability that was privately reported by the Kingsoft Internet Security Center, which could be exploited to remotely run code on a machine if a user or an application runs/installs a specially designed PE (portable executable) file. This is a file format that’s used for DLL, SYS, EXE and other executable file types.
The update fixes the problem by changing the way the WinVerifyTrust function handles verification of Windows Authenticode signatures for PE files. Note that the update may affect the functionality of some installers and other valid PE files in third party software, if the content doesn’t comply with the Authenticode specification.
MS13-099 (2909158) This is another one that affects all supported versions of Windows, including server core installations. The affected component of the OS is Windows Script, versions 5.6, 5.7 and 5.8. Windows Script (WScript) is used for creating scripts such as VBScript and JScript. It’s rated critical for all versions of WScript on all supported releases of Windows.
The update addresses one vulnerability that was privately reported (no attribution). If a user can be convinced to visit a web site hosting specially designed content, the vulnerability can be exploited to gain the same user rights as the currently logged on user and potentially run remote code on the machine.
The update fixes the problem by changing the way the Microsoft Scripting Runtime Object library handles objects in memory. If you want to determine what version of WScript is installed on your computer, search the hard drive for scrrun.dll and display the properties. The version number is on the Details tab. Versions of WScript prior to 5.6 are no longer supported by Microsoft.
MS13-105 (KB2915705) Affects supported versions of Exchange Server 2007 and 2010. Exchange Server 2003 SP2 is not affected. The update is rated critical for all affected versions.
The update addresses three vulnerabilities that have been publicly disclosed along with one that was reported privately by Minded Security/Criteo. If an attacker sends a specially designed file via email to be processed by the Exchange server, remote code could potentially be run on the machine in the context of the LocalService account.
The problem is in Exchange’s WebReady Document Viewing and Data Loss Prevention feature. The update fixes it by making several changes, including enabling machine authentication check, ensuring URLs are sanitized and updating the affected Oracle Outside to a new version that’s not vulnerable.
MS13-100 (KB2904244) Affects SharePoint Server 2010 SP1 and SP2, along with SharePoint Server 2013 and Microsoft Office Web Apps 2013. Other versions of SharePoint are not affected. Web Apps 2010 SP 1 and SP2 are not affected. Rating is important on all affected software and services.
This update addresses multiple vulnerabilities that were reported privately (no attribution). If an attacker sends a specially designed page to a SharePoint server, the vulnerability could be exploited to run remote code in the context of the W3WP service account on the server. The attacker would need to be authenticated to exploit this vulnerability.
The update fixes the problem by changing the way the SharePoint server sanitizes page content.
MS13-101 (KB2880430) Affects all supported versions of the Windows operating system (XP, Vista, Windows 7, 8/8.1 and RT, Server 2003, 2008, 2008 R2, 2012 and 2012 R2), including server core installations.
This update addresses five different vulnerabilities in Windows that were privately reported by researchers at Qihoo, F13 Laboratory and Core Security Technologies. These vulnerabilities could be exploited to cause denial of service and/or to gain elevation of privileges if an attacker logs onto a computer and runs a specially designed application. The good news is that an attacker can’t do this without having valid logon credentials and being able to log on locally, thus the important rating rather than critical.
The problem is with the way Windows validates memory address values. The update fixes this by changing the way the kernel-mode driver and the Windows audio port class drivers handle objects in memory, and by ensuring that array indexes are validated properly when TrueType fonts are loaded.
MS13-102 (KB2898715) Affects supported versions of Windows XP and Server 2003. Other versions of Windows (Vista, Windows 7, 8/8.1 and RT, and Server 2008, 2008 R2, 2012 and 2012 R2) are not affected.
This update addresses one vulnerability that was privately reported by Renguang Yuan at Qihoo. If an attacker is able to spoof an LRPC server and send a specially designed LRPC message to an LRPC client, the vulnerability could allow the attacker to elevate privileges and then install programs, manipulate data or even create new admin accounts. However, this can only be done if the attacker logs on locally with valid logon credentials, somewhat mitigating the severity.
This exploit works by creating a buffer overrun on the LRPC client. The update fixes the problem by validating LRPC messages.
The update fixes the problem by having ASP.NET SignalR properly encode input from users. To find out whether and what version of SignalR is installed on your computer, search the system drive for SignalR. If found, view the properties of the files to find the version numbers.
MS13-104 (KB2909976) Affects Microsoft Office 2013 (32 and 64 bit) and Office 2013 RT. Other supported versions of Microsoft Office for Windows and Mac are not affected.
This update addresses one token hijacking vulnerability that was privately reported by Noam Liran of Adallom. If an attacker hosts an Office file on a malicious web site and a user attempts to open it, the vulnerability could be exploited to learn what access tokens are used to authenticate the user on a Microsoft server site such as SharePoint.
The problem is the way Office handles specially designed responses from web sites. The update fixes the problem by changing this to ensure that they are handled properly.
MS13-106 (KB2905238) Affects supported versions of Microsoft Office 2007 and 2010. Does not affect Office 2003 SP3 or any edition of Office 2013. Also does not affect the Office Compatibility Pack or Office for Mac 2011.
This update addresses one vulnerability in Office shared components that was publicly disclosed. This is the “security bypass” vulnerability that we speculated about after receiving this month’s advance notification. The security feature that can potentially be bypassed is the Address Space Layout Randomization feature (ASLR), an important security mechanism in Internet Explorer. An exploit would typically bypass ASLR to exploit another vulnerability, for example to run remote code.
The user would need to view a specially designed web page for an attacker to exploit the vulnerability, or open a specially designed email attachment. The vulnerability can’t be exploited via email itself but a link in an email message could take a user to the web site hosting the specially designed content. This could be a page hosted by the attacker or one that hosts user-provided content.
The update fixes the problem by ensuring that the Office shared component implements ASLR properly.