Happy New Year! Todaywas the first Patch Tuesday of 2013, and Microsoft released 7 patchesaddressing 12 new vulnerabilities. Twoof the patches are identified as Critical by Microsoft, addressing Remote CodeExecution (RCE) issues in the Print Spooler and MS XML Core Services. The remaining 5 bulletins are labeled asImportant, and none has been disclosed or exploited in the wild previous totoday’s announcement. This month’spatches are as follows:
- (MS13-001) Vulnerability in Windows PrintSpooler Components Could Allow Remote Code Execution (2769369)
- (MS13-002) Vulnerabilities in Microsoft XML CoreServices Could Allow Remote Code Execution (2756145)
- (MS13-003) Vulnerabilities in System CenterOperations Manager Could Allow Elevation of Privilege (2748552)
- (MS13-004) Vulnerability in .NET Framework CouldAllow Elevation of Privilege (2769324)
- (MS13-005) Vulnerability in Windows Kernel-ModeDriver Could Allow Elevation of Privilege (2778930)
- (MS13-006) Vulnerability in Microsoft WindowsCould Allow Security Feature Bypass (2785220)
- (MS13-007) Vulnerability in Open Data ProtocolCould Allow Denial of Service (2769327)
What’s most interesting at this time, however, is whatMicrosoft has *not* done, which is to patch a known, criticalvulnerability in Internet Explorer. Inlate December, Microsoft disclosed (but has not yet patched) a vulnerabilityaffecting IE 6, 7, and 8. Thisvulnerability can be used to perform remote code execution on a vulnerablebrowser, and has been actively exploited in the wild in several targetedattacks. Most notably, the web site forthe Council on Foreign Relations was found to be subverted on or around Dec 21,2012, and has been serving up exploit code to visitors in the form ofdrive-by-downloads. The CFR has somevery influential members, including former Presidents, Vice Presidents,Secretaries of State, and nationally-known journalists, giving this all themakings of a classic “Watering Hole” attack. In addition, a Metasploit module has been published, arming the scriptkiddies of the world with a weaponized exploit. We can expect that this one will not quietly disappear.
MS has documented some workarounds (for example, upgradingto IE 9 or 10, which are not vulnerable) as well as a Fix It, which acts as atemporary mitigation until a proper patch is released. Unfortunately, the documented mitigations areeither largely impractical or not 100% effective, and it is very likely thatexploits of this vulnerability will accelerate in the time until a patch isreleased. MS will surely be keeping aclose eye on the activity surrounding this vulnerability, and it would not besurprising to see an out-of-cycle patch released in the coming weeks.
The patches released this month are not especially concerning. The critical patch to MS XML Core Services(MS13-002) is the most noteworthy, as it affects a very broad range of MSoperating systems, applications, and tools, and can be exploited relativelyeasily by luring an unsuspecting browser to a malicious web page. The other critical patch (MS13-001) fixes aremote code execution vulnerability in the Windows Print Spooler. While remote code execution vulns are alwaysnoteworthy, this one requires a pretty torturous series of conditions to occurin order to be successfully exploited. It’s unlikely to see widespread exploits, but could serve well incertain kinds of targeted attacks.
McAfee’s confirmed coverage for this month’s vulns, plus theadditional unpatched IE vuln discussed above, is as follows:
- McAfee VirusScan's buffer overflow protection isexpected to provide proactive protection against exploits of 4 out of 13vulnerabilities this month.
- McAfee Host Intrusion Prevention is expected toprovide protection against exploits of 6 out of 13 vulnerabilities this month.
- McAfee's Network Security Platform has newsignatures confirmed to protect exploits of 6 out of 13 vulnerabilities thismonth.
- McAfee Application Control is confirmed toprovide protection against exploits of 4out of 13 vulnerabilities this month.
- McAfee Vulnerability Manager and Policy Auditorwill very shortly have content to assess whether your systems are exposed toany of these new vulnerabilities.
Aggregate coverage (combining host and network-basedcountermeasure together) is 7 out of 13. In particular, coverage is excellent for all of the criticalvulnerabilities: of the 4 vulns that support RCE (1 vuln in MS13-001, 2 vulnsin MS13-002, 1 unpatched IE vuln), *all 4* are covered by VirusScan’s buffer overflow protection, HIPS, andApplication Control, and 3 out of 4 are covered by NSP. In addition, there are DATs available forVirusScan, Web Gateway, and other products that identify and eradicate knownexploits when they are found.
Additional research is being performed by McAfee Labs, andcoverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast