This week brings us the latest round of security bulletins from Microsoft. Today, Microsoft released 10 patches, addressing 33 individual vulnerabilities. Only two of the patches are identified by Microsoft as critical, both addressing issues in Internet Explorer. One of these is a zero-day vuln that has been actively exploited in the wild over the last couple of weeks, and deserves some immediate attention. This month’s patches include the following:
- (MS13-037) Cumulative Security Update for Internet Explorer (2829530)
- (MS13-038) Security Update for Internet Explorer (2847204)
- (MS13-039) Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
- (MS13-040) Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
- (MS13-041) Vulnerability in Lync Could Allow Remote Code Execution (2834695)
- (MS13-042) Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution
- (MS13-043) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
- (MS13-044) Vulnerability in Visio Could Allow Information Disclosure
- (MS13-045) Vulnerability in Windows Essentials Could Allow Information Disclosure
- (MS13-046) Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege
Both IE patches are labeled as critical. MS13-037 addresses 11 new vulns in various flavors of IE, but by far the more sensitive one is MS13-038, which addresses a single zero-day vulnerability in IE 8. This vulnerability first surfaced on May 3rd, when it became clear that it was being used to push drive-by-download malware from a hacked US Department of Labor microsite. Days after the initial disclosure, an exploit for this vulnerability was packaged into an easy-to-use module for the popular Metasploit framework. This neatly weaponizes the exploit, and makes it easily accessible to anyone with the inclination to download it. From here it’s only a matter of time before the attack is rolled into the common black market exploit kits. When that happens, it becomes a common part of every attacker’s bag-of-tricks for the foreseeable future.
This threat gives us a good window into how McAfee provides layered protection for our customers, from the endpoint out to the network perimeter. Subscribers to McAfee Labs Security Advisories would have seen a steady stream of information coming from our threat researchers describing the threat, and how our products provide protection:
- On May 6th McAfee Labs released vulnerability check content to allow MVM customers to identify vulnerable systems across the enterprise
- On May 6th McAfee Labs released a new Network Security Platform IPS signature to identify and block exploits of this vulnerability
- On May 7th McAfee Labs verifies that existing behavioral and application whitelisting techniques included in McAfee VirusScan, McAfee Host Intrusion Prevention, and McAfee Application Control provide protection from exploits on the endpoint.
- On May 12th McAfee Labs released specific signatures designed to detect and block known exploits in McAfee VirusScan and McAfee Web Gateway.
In summary, customers running the current McAfee Endpoint Protection suite on their endpoints enjoyed protection from this exploit from the moment it surfaced. As the details of the vulnerability and exploits emerged, additional signatures provided customers with greater visibility and awareness of how their networks are being attacked, as well as additional options for protection at the network layer. This is how security should work, demonstrating great resilience as well as deep situational awareness.
McAfee’s coverage for this month’s vulnerabilities is as follows:
- McAfee VirusScan's buffer overflow protection is expected to provide proactive protection against exploits of 13 out of 33 vulnerabilities this month.
- McAfee Host Intrusion Prevention is expected to provide protection against exploits of 24 out of 33 vulnerabilities this month.
- McAfee Application Control is expected to provide protection against exploits of 22 out of 33 vulnerabilities this month.
- McAfee's Network Security Platform has new signatures confirmed to protect exploits of 7 out of 33 vulnerabilities this month.
- McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Aggregate coverage (combining host and network-based countermeasure together) is 26 out of 33. In particular, coverage for the most critical IE vulns is excellent across the board. Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.