Microsoft’s final update for the year brings us 11 bulletins covering 24 CVE issues.
As is customary, there is the critical IE bulletin, MS13-097. This time it covers 7 CVE issues. As in other months, this includes a number of use-after-free issues that we’ve come to expect in IE. However this month we also get 2 escalation of privilege vulnerabilities (CVE-2013-5045 and CVE-2013-5046), where an attacker could break out of the low integrity sandbox. This assumes of course that the attacker has first gained remote code execution through another vulnerability and then uses one of these vulnerabilities to execute arbitrary programs.
There is also a critical update for GDI+, MS13-096. This one fixes the 0-day vulnerability (CVE-2013-3906) that is being exploited in the wild. The vulnerability exists in the way that TIFF files are handled. To trigger the vulnerability, current exploits embed a malicious TIFF file into a Word file, which triggers an integer overflow in the GDI+ library. Of course, any application which uses GDI+ to display TIFF files is vulnerable to this attack.
The next vulnerability (CVE-2013-3900) exists in the way that signatures are verified in executables. It is classified as remote code execution. However to exploit the vulnerability, user cooperation is required: the user was already planning to execute the file, but it could have been modified by an attacker, even though the signatures has remained intact. MS13-098 changes the way that signatures are handled to prevent this type of attack. A more in-depth description is available on Microsoft's SRD blog.
MS13-099 covers a use-after-free vulnerability (CVE-2013-5056) in Microsoft’s Scripting Runtime Object Library, which could lead to remote code execution. While the vulnerability is in the scripting runtime, it can also be triggered through IE.
Our last critical bulletin for 2013 is MS13-105, where vulnerabilities in Oracle’s Outside In (CVE-2013-5763 and CVE-2013-5791) could allow for remote code execution in Exchange. This update provides downstream patches for the fixes that Oracle has released to address these issues. The bulletin also covers 2 more vulnerabilities though:
- A new fix for CVE-2013-1330, which was already addressed in MS13-067. The vulnerability allows an attacker to potentially execute remote code by passing in a malicious serialized viewstate (which is used to save state in a webpage), when message authentication code (MAC) checking for viewstates is disabled.
- A cross-site-scripting vulnerability in Office Web Applications (CVE-2013-5072)
There are also 6 more bulletins marked as important:
MS13-100, which covers 1 vulnerability (CVE-2013-5059) in Sharepoint, where an authenticated user could gain remote code execution on a SharePoint Server.
The next bulletin, MS13-101, is for Windows Kernel Mode Drivers and provides an update for 5 CVE issues that could allow an attacker to gain an escalation in privileges using various vulnerabilities, including integer overflows and a use-after-free in Win32k, another issue with TrueType font parsing and another double fetch vulnerability. What’s important to note is that this update does NOT address CVE-2013-5065, the 0-day vulnerability that is being exploited in the wild in tandem with the previously discovered (and patched) Adobe Reader vulnerability (CVE-2013-3346). This issue will be fixed in a future update.
There’s also an update (MS13-102) that fixes a buffer overflow (CVE-2013-3878) in Windows Local RPC that could allow escalation of privileges. Followed by a bulletin (MS13-103) for ASP.NET, where an XSS vulnerability exists in its SignalR library.
Finally there’s 2 bulletins that deal with Microsoft Office and cover 1 CVE each:
- MS13-104, which provides a fix for an information disclosure vulnerability in Office 365 (CVE-2013-5054) that is currently being exploited in phishing attacks. This vulnerability allows an attacker to retrieve a user’s authentication token for Office 365 by sending a malicious link.
- MS13-106 provides a fix for an ASLR bypass that is commonly performed via HXDS.dll (CVE-2013-5057), because it hasn't been compiled with DYNAMICBASE (i.e., no ASLR support). Microsoft has a blog post describing the fix here
The VRT has rules SID 27823, 28464-28473, 28487-28488, 28525-28526, 28862-28863, 28865-28878, 28880-28882 to address these issues.