Hi all,

 

Now that Daylight Savings Time is behind us here in the US, we’ve got an extra hour of daylight to ensure our systems are protected against the latest batch of vulnerabilities disclosed by Microsoft.  Today Microsoft released 7 patches addressing a total of 20 new vulnerabilities.  This month’s Microsoft patches include:

 

  • (MS13-021) Cumulative Security Update for Internet Explorer (2809289)
  • (MS13-022) Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
  • (MS13-023) Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
  • (MS13-024) Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
  • (MS13-025) Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
  • (MS13-026) Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
  • (MS13-027) Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)

 

The patches are fairly heavily weighted toward desktop applications this month, with only a single server-focused patch addressing a collection of issues in SharePoint (MS13-024).

 

Most immediately threatening is a typical roll-up patch for Internet Explorer (MS13-021).  It addresses 9 distinct “use after free” vulnerabilities, any of which allow an attacker to execute code in the context of the logged on user, if they can lure the user to a malicious web page.  One of these vulns has been disclosed publically, but none of them are known to have been leveraged in any actual attacks in the wild.

 

Also interesting are 3 kernel vulnerabilities in the Windows USB drivers.  With these vulns, an attacker who inserts (or convinces a user to insert) a USB stick into a vulnerable system can automatically run code of their choice in kernel mode without further user interaction, even if there is no user logged on.  Insert stick/pwn box.  While the requirement for physical access might seem to be a high bar for an attacker to meet, this attack vector is ripe for targeted social engineering attacks.  If someone sent me a USB stick in the mail, with the label “Star Wars Episode VII – Draft Script”, I’d load that thing up at point five past lightspeed, no questions asked.  Also remember that there are often plenty of people who have casual access to our workstations (custodial staff, disgruntled co-workers), and a screen lock is no defense against this particular attack vector. 

 

McAfee’s coverage for this month’s vulnerabilities is as follows:

 

  • McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 9 out of 20 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 11 out of 20 vulnerabilities this month.
  • McAfee's Network Security Platform has new signatures confirmed to protect exploits of 8 out of 20 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 11 out of 20 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

 

Aggregate coverage (combining host and network-based countermeasure together) is 12 out of 20.  Coverage is particularly good for the 9 IE code execution vulns, with broad coverage across all countermeasures.

 

Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

 

Happy patching!

 

Scott