Microsoft

It's Microsoft Patch Tuesday: December 2013

Alan Shimel gathers the information you need to make the right deploy decision when applying Microsoft's December 2013 patches in your organization.

By Alan Shimel

Editor's note: Alan Shimel is filling in for Tony Bradley this month.

patch_tue.png
Microsoft released eleven new security bulletins for the December Patch Tuesday, closing out 2013 with 106 security bulletins. While that tops last year's total of 83, it is roughly in line with 2010 (106) and 2011's (100) numbers.

The eleven bulletins for the month continues Microsoft's recent policy of continuous release of patches, rather than the bust or burst approach of previous years, where the numbers would range from just a few to two dozen or more per month. This gives IT admins a bit more predictability to their patch activities.

Microsoft seems to be averaging just about nine a month, so this month is a bit heavy with five critical and six important security bulletins.

All five critical bulletins deal with remote code execution so should be addressed. The highest priority for IT Admins should be the first bulletin which closes a known zero day bug documented in KB2896666. There is another known zero day out there, KB2914486, which is not addressed this month. That zero day attacks through Adobe Reader, so patching to the latest version of Reader is highly recommended.

Any remote code execution vulnerability gets my attention so I would not delay too long to address those five patches. While the other four don't have zero days around them, they are important enough to address now. With the holiday season we are all busy, addressing the other six patches if they apply to you (pay attention to what platform they are for) early on will let you enjoy the holidays with at least this off of your plate.

Happy Holidays!


This blog post is also available in the PDF format in a TechRepublic Download.


Security Patches

This month's eleven security bulletins address a total of 22 separate vulnerabilities spanning Internet Explorer, Microsoft Office, Exchange, Surface 2 and more.

3flags.png

MS13-088 / KB2888505 – Cumulative Security Update for Internet Explorer

More than half of the vulnerabilities this month are addressed with this one update. MS13-088 resolves ten separate vulnerabilities affecting all versions of Internet Explorer from IE6 to IE11. Two of the flaws could allow information disclosure, and the remaining eight are memory corruption issues that could be exploited to enable an attacker to execute malicious code remotely on the vulnerable system. There are no known exploits in the wild currently for these vulnerabilities, but an attacker could execute an exploit by crafting a malicious Web page and luring users to visit it.

2flags.png

MS13-089 / KB2876331 – Vulnerability in Windows Graphics Device Interface Could Allow Remote Code Execution

This security bulletin is rated as Critical by Microsoft because the flaw could allow an attacker to execute malicious code remotely on the target system, and the flaw impacts all supported versions of Windows from Windows XP to Windows 8.1. The severity, however, is tempered significantly by the fact that an attacker would have to create a malicious file, and somehow convince a user to open it using WordPad - an application that very few people actually use.

3flags.png

MS13-090 / KB2900986 – Cumulative Security Update of ActiveX Kill Bits

MS13-090 is an urgent update for two reasons. First, a successful exploit of the vulnerability enables the attacker to execute malicious code on the compromised system. Second, this is a zero-day flaw that is already being actively exploited in the wild. A specially-crafted malicious Web page can be used to trigger the flawed ActiveX control and compromise the system. All desktop versions of Windows are affected, but the potential threat can be minimized by ensuring users don't operate with full administrator privileges.

2flags.png

MS13-091 / KB2885093 – Vulnerabilities in Microsoft Office Could Allow Remote Code Execution

This security bulletin addresses three vulnerabilities in Microsoft Office - impacting Office 2003, 2007, 2010, and 2013. One of the three vulnerabilities spans all versions of Office, and will probably be the one any attackers will focus their attention on. The security bulletin is only rated as Important by Microsoft, but because Microsoft Office is so pervasive, and a successful attack could lead to remote code execution, this patch should be a higher priority.

1flag.gif

MS13-092 / KB2893986 – Vulnerability in Hyper-V Could Allow Elevation of Privilege

The threat from MS130-092 is relatively limited. The vulnerability is specific to Windows 8 and Windows Server 2012 - Windows 8.1 and Windows Server 2012 R2 are unaffected. A successful attack could lead to an elevation of privilege or to a denial of service by crashing the hypervisor, but the attacker would first need access to a guest virtual machine running within the Hyper-V host in order to pass a specially crafted hypercall to trigger the exploit.

1flag.gif

MS13-093 / KB2875783 – Vulnerability in Windows Ancillary Function Driver Could Allow Information Disclosure

This flaw poses very little risk. A memory disclosure vulnerability in the Windows ancillary function driver can lead to an elevation of privilege, and possible information disclosure. However, the attacker has to first be logged on to the vulnerable system with valid local credentials, and then execute a specially-crafted application to trigger the flaw. A remote attacker would first need to successfully exploit of some other flaw to gain control of the target system before this flaw could be a threat.

1flag.gif

MS13-094 / KB2894514 – Vulnerability in Microsoft Outlook Could Allow Information Disclosure

This is a publicly disclosed vulnerability that affects Outlook 2007, 2010, and 2013. If an attacker tricks a user into opening a specially-crafted malicious email message using an affected version of Outlook, it could lead to information disclosure. The attacker may be able to extract details such as IP address, open TCP ports, and other sensitive information.

1flag.gif

MS13-095 / KB2868626 – Vulnerability in Digital Signatures Could Allow Denial of Service

MS13-095 also poses virtually no real risk in and of itself. A flaw in how Microsoft interprets digital signatures can be exploited with a specially-crafted X.509 certificate to crash the affected system and cause a denial of service condition.

3flags.png

MS13-096 / KB2908005 - Vulnerability in Microsoft Graphics Component Could allow Remote Code Execution

This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files.

3flags.png

MS13-097 / KB2898785 - Cumulative Security Update for Internet Explorer

This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

3flags.png

MS13-098 / KB2893294 - Vulnerability in Windows Could Allow Remote Code Execution

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

3flags.png

MS13-099 / KB2909158 - Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

3flags.png

MS13-100 / KB2904244 - Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution

This security update resolves multiple privately reported vulnerabilities in Microsoft Office server software. These vulnerabilities could allow remote code execution if an authenticated attacker sends specially crafted page content to a SharePoint server. An attacker who successfully exploited these vulnerabilities could run arbitrary code in the security context of the W3WP service account on the target SharePoint site.

2flags.png

MS13-101 / KB2880430 - Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege

This security update resolves five privately reported vulnerabilities in Microsoft Windows. The more severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

2flags.png

MS13-102 / KB2898715 - Vulnerability in LRPC Client Could Allow Elevation of Privilege

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker spoofs an LRPC server and sends a specially crafted LPC port message to any LRPC client. An attacker who successfully exploited the vulnerability could then install programs; view, change, or delete data; or create new accounts with full administrator rights. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.

2flags.png

MS13-103 / KB2905244 - Vulnerability in ASP.NET SignalR Could Allow Elevation of Privilege

This security update resolves a privately reported vulnerability in ASP.NET SignalR. The vulnerability could allow elevation of privilege if an attacker reflects specially crafted JavaScript back to the browser of a targeted user.

1flag.gif

MS13-104 / KB2909976 - Vulnerability in Microsoft Office Could Allow Information Disclosure

This security update resolves one privately reported vulnerability in Microsoft Office that could allow information disclosure if a user attempts to open an Office file hosted on a malicious website. An attacker who successfully exploited this vulnerability could ascertain access tokens used to authenticate the current user on a targeted SharePoint or other Microsoft Office server site.

3flags.png

MS13-105 / KB2915705 - Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

This security update resolves three publicly disclosed vulnerabilities and one privately reported vulnerability in Microsoft Exchange Server. The most severe of these vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. These vulnerabilities could allow remote code execution in the security context of the LocalService account if an attacker sends an email message containing a specially crafted file to a user on an affected Exchange server. The LocalService account has minimum privileges on the local system and presents anonymous credentials on the network.

2flags.png

MS13-106 / KB2905238 - Vulnerability in a Microsoft Office Shared Component Could Allow Security Feature Bypass

This security update resolves one publicly disclosed vulnerability in a Microsoft Office shared component that is currently being exploited. The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer. In a web-browsing attack scenario, an attacker who successfully exploited this vulnerability could bypass the Address Space Layout Randomization (ASLR) security feature, which helps protect users from a broad class of vulnerabilities. The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.


As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.

Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com).

Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.


9 comments
TuesdayNews
TuesdayNews

I would really appreciate it if you would use the same KB numbers listed in Windows Update. This would save me the trouble of opening and reading the "more information" webpage for each update. I patch both windows 7 and 8.1 computers, and the KB numbers don't match yours on any of these systems. Perhaps there are multiple KB numbers corresponding to each MS number. If so, would it be possible to get all of the relevant KB numbers for each update?

kylebutler
kylebutler

I think I need some help because I was one of thous people ,, haven't got a clue what I done ,, iv received a message about the incident but I didn't think it was true ,, can somebody give me some advice please ,, really panicing

Gisabun
Gisabun

The list doesn't even include the number of required non-security updates.

Even worse is the number of Office 2013 updates released. I could 12 of them totaling 350+ MB.

And yes. A bunch of the updates above were from November [and not updates].

click-click
click-click

Half the patches listed are from November's Patch Tuesday. 

dhamilt01
dhamilt01

GHFC - My brand new Windows 8.1  desktop computer restarted 6 times after installing these updates. Are we going back to Windows XP days?

Mark W. Kaelin
Mark W. Kaelin moderator

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.

WizzoTheWaz
WizzoTheWaz

@Mark W. Kaelin I know lots of people with XP now have systems that won't run if they are connected to the internet. Is this happening to anyone else and, if so, how did you get around the problem

Gisabun
Gisabun

@WizzoTheWaz @Mark W. Kaelin Huh? Nothing is stopping a computer from accessing the Internet. Microsoft [I'm sure] is not blocking them with a Windows update. I've seen over the mast 6 months two cases. Both had malware on the system. Bad enough that nothing could be done to repair other than a complete re-install..

Editor's Picks