When it rains, it pours. Today MS released 12 patches, addressing a staggering 57 separate vulnerabilities. This marks the most individual vulnerabilities addressed by MS in a single month since April 2011. This month’s security bulletins include the following:
- (MS13-009) Cumulative Security Update for Internet Explorer (2792100)
- (MS13-010) Vulnerability in Vector Markup Language Could Allow Remote Code Execution (2797052)
- (MS13-011) Vulnerability in Media Decompression Could Allow Remote Code Execution (2780091)
- (MS13-012) Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2809279)
- (MS13-013) Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution (2784242)
- (MS13-014) Vulnerability in NFS Server Could Allow Denial of Service (2790978)
- (MS13-015) Vulnerability in .NET Framework Could Allow Elevation of Privilege (2800277)
- (MS13-016) Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (2778344)
- (MS13-017) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2799494)
- (MS13-018) Vulnerability in TCP/IP Could Allow Denial of Service (2790655)
- (MS13-019) Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2790113)
- (MS13-020) Vulnerability in OLE Automation Could Allow Remote Code Execution (2802968)
The bulk of the this month’s vulns come from just two individual patches. MS13-009 addresses 13 separate vulnerabilities in Internet Explorer, several of which allow an attacker to perpetrate remote code execution if they can lure a victim to visit a malicious web page. MS13-016 fixes 30 instances of an Elevation of Privilege vulnerability in the Windows kernel; this is really the same vuln present in 30 different places, resulting in a somewhat inflated count. Factor out these 2 patches, and you have a fairly mundane month.
In total, 5 of the 12 patches released today support some sort of remote code execution (MS13-009, -010. -011, -012, and -020), and are listed as critical. The remaining ones address Denial of Service and Elevation of Privilege vulnerabilities, and are reported by Microsoft as Important. Of these critical vulns, one has been exploited in limited, targeted attaches (MS13-010).
While this represents a fairly heavy workload, it only tells a part of the story that enterprises face every day. The last few weeks have brought a notable onslaught of new vulnerabilities and public attacks. Here’s a brief snapshot of the most critical events since last Patch Tuesday:
Jan 10: 0-day exploits in Java gain broad attention.
Jan 13: Oracle releases Java patch.
Jan 14: MS releases out-of-cycle patch to IE, to address ongoing targeted attacks.
Jan 16: Oracle releases numerous patches to a variety of products, addressing a total of 86 vulns.
Jan 18: Red October attacks disclosed, hitting numerous governments and critical infrastructure providers.
Jan 31: Chinese hacks of multiple news outlets disclosed, including NY Times, Wall Street Journal, Washington Post.
Feb 1: Oracle releases another Java patch, addressing 50 separate vulnerabilities.
Feb 2: Twitter discloses that 250,000 twitter account details have leaked.
Feb 5: Federal Reserve admits they have been hacked by Anonymous, in retribution for death of Internet activist Aaron Schwartz.
Feb 7: Adobe releases surprise patch to address 0-day exploits in Flash
Feb 12: Adobe releases patches to address 17 more vulns in Flash and 2 in Shockwave Player
Feb 12: Oracle announces another Java patch will be forthcoming on Feb 19th…
And so it goes. If it seems like threats are escalating, you’re not imagining things. In late January, Mitre (the organization that administers the CVE registry, the standard tool used to name and label vulnerabilities) announced that they would be expanding the CVE format. Today’s format supports naming “only” up to 9,999 new vulnerabilities each year (we saw 5,289 in 2012), and Mitre anticipates running out of space in the near future.
No one can be expected to react this incredible rate of change as it comes. The only possible successful strategy to defending against this is a proactive stance, based on overlapping, complementary layers of security wrapped in a cohesive management framework. Now is the time to be talking to your most trusted security partners about how they can help you build a robust platform to address this escalating threat landscape.
As for McAfee’s coverage of this month’s vulns, there’s a lot of good news. Factoring out MS13-016 (no specific coverage for this collection of 30 identical privilege escalation vulns) McAfee’s confirmed coverage for this month’s vulns, is as follows:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 16 out of 27 vulnerabilities this month.
- McAfee Host Intrusion Prevention is expected to provide protection against exploits of 20 out of 27 vulnerabilities this month.
- McAfee's Network Security Platform has new signatures confirmed to protect exploits of 13 out of 27 vulnerabilities this month.
- McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Aggregate coverage (combining host and network-based countermeasure together) is 20 out of 27. Coverage is excellent for all of the critical vulnerabilities: 100% of the vulns that support RCE. Without going into the full details, coverage is very good for the various Java and Adobe vulnerabilities that have been patched over the last month as well. Additional research is being performed by McAfee Labs, andcoverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email, or listening to AudioParasitics, the official McAfee Labs podcast