Patch Tuesday: November 2013

Microsoft has issued 8 patch bulletins this month, while Adobe has patched two vulnerabilities in Flash
Microsoft has issued 8 patch bulletins this month, while Adobe has patched two vulnerabilities in Flash

In total Microsoft has patched 19 vulnerabilities, nine of which are critical. Notably, a zero-day flaw disclosed last week by FireEye has now been fixed. FireEye described the vulnerability as an IE zero-day and explained that it was already being exploited in a watering hole attack on a strategic US website. The Microsoft fix, however, is not one of the IE fixes, but a separate update to ActiveX Kill Bits (MS13-090). 

The vulnerability could be exploited through a specially crafted webpage allowing remote code execution and giving the attacker the same privileges as the user. Since Microsoft's 'critical' label indicates that no user interaction is required, since it is already being exploited, and since many users automatically operate in administrator mode, this should be given high priority. Ross Barrett, senior manager of security engineering at Rapid7, goes further, pointing out that exploit code was made publicly available on Pastebin this morning. "It was known to be under some targeted exploitation, but that will probably expand now that the exploit is public. I would call patching this issue priority #1," he says.

What is not included this month is a fix for a second zero-day exploit also recently discussed by FireEye. There is some debate over its urgency. "While the story of this issue may be getting some mileage," comments Barrett, "the reality is it's in very limited, targeted exploitation in a specific region AND it requires user interaction to exploit, so I would not worry about it too much. At risk and high value systems should have the mitigations in place already, and if not, I suggest you investigate EMET. If you fear that you are at risk of being targeted, apply the Fix it."

Nevertheless, it is worth noting that FireEye found two separate actors exploiting the vulnerability. While one is for espionage purposes and therefore likely to be and remain tightly targeted, the other involves a criminal gang spreading the Citadel banking trojan. This is far less likely to be or remain tightly targeted. Noticeably, as this report is being prepared, FireEye has released a new alert suggesting that "other groups, including those associated with advanced persistent threat (APT) activity, have now begun to use this exploit as well. They have found that CVE-2013-3906 is now being used to drop Taidoor and PlugX." 

As usual the bulletins also include Internet Explorer updates. "The patch is offered as a cumulative security update," explains Ziv Mador, director of security research at Trustwave, "and fixes ten privately reported vulnerabilities – the most severe of which could allow remote code execution if a user visits a specifically crafted webpage. The update is critical for all currently supported versions of Internet Explorer, including Internet Explorer 8.1, 11 and RT Preview editions. The update fixes how Internet Explorer handles special characters in cascading style sheets, print previews and objects in memory. While none of these issues have yet been seen exploited in the wild, Microsoft does expect exploit code to be produced rather soon."

The third critical patch fixes a vulnerability in the Windows Graphics Device Interface that could allow remote code execution. Successful exploitation could give an attacker full control of the victim's computer with full user rights. Users operating under restricted rights would be less impacted than those operating with administrator rights.

The remaining five bulletins all concern 'important' updates. While these can still result in remote code execution, they require some user interaction. One interesting update involves an elevation of privilege vulnerability in Microsoft's virtual system, Hyper-V. An attacker would not be able to execute code on the host, but would be able to do so on guest VMs. The vulnerability could also lead to a denial of service condition.

Other bulletins fix an information disclosure vulnerability in the Windows Ancillary Function Driver; denial of service through a vulnerability in XML digital signatures (a specially crafted X.509 certificate could cause the service to stop responding); information disclosure when Outlook fails to properly handle the expansion of S/MIME certificate metadata; and three vulnerabilities in Office.

Overall, this month fixes numerous critical vulnerabilities, including one that is currently exploited and has an exploit freely available on the internet, but not including a second zero-day that is increasingly being exploited. But the available updates are not too burdensome on administrators. "For the first time in a few months," explains Barrett, "this is a relatively straightforward Patch Tuesday, with fixes for most Windows versions, the ever-present IE roll up patch (MS13-088), and some Office components, but nothing esoteric or difficult to patch. No SharePoint plugins, no complicated .NET patching, no esoteric office extensions. Though we can't forget the fun and games that GDI vulnerabilities tend to be for patching teams (MS13-089), this one appears simpler than most."

Adobe's version of Patch Tuesday is relatively quiet this month: just two updates to Flash.

What’s hot on Infosecurity Magazine?