MS13-027 should be your third priority for patching this month, even though it’s ranked important by Microsoft because it requires physical access to pull off. Regardless, it’s a pretty scary vulnerability. This is an elevation of privilege in kernel mode drivers. Normally, with this sort of vulnerability, a low-level authorized user might be elevated to the system level. However, this one is a little different. If your system is actively running and an infected USB is inserted, the kernel mode drivers for USB will actually load and mount the USB device before making the OS aware that the USB is available for use. The vulnerability here is in the USB driver, so the infected driver is already loaded before the OS is really even used. This would then get an attacker into system-level memory, where they could get code execution running at the system level.
This is scarily similar to existing toolsets like Inception, which allow attackers direct memory access through a firewire or thunderbolt port. Once an attack has access, they can overwrite the location of the admin credentials in RAM. For both Inception and this vulnerability, the computer doesn’t need to be logged in or even unlocked. If Inception were to be updated for this vulnerability, an attacker could do a lot of damage to your machine. Physical access is required, which is why Microsoft has rated it important. Nonetheless, Henry recommends you put this pretty high up on your patch priority list, right behind MS13-021 and MS13-022.
IT admins can’t seem to catch a break this year. First, the never-ending stream of Java issues that has kept folks on their toes since January. Now they’ve got another busy month of patches ahead of them, with seven total patches from Microsoft, four of which are critical. However, once again the issues outside of Microsoft will likely eclipse the Patch Tuesday patches this month.
According to Paul Henry, security and forensic analyst at Lumension, three months into 2013 and already we’re seeing higher numbers of patches from Microsoft, particularly across critical patches. Last year at this time, Microsoft was averaging seven patches, only two of which were critical. This year, Microsoft has so far averaged close to nine patches, about four of which are critical. To really put things in perspective, by March of 2011, Microsoft was averaging close to six patches, with around one critical patch. We can only hope that this increase is due to a combination of new platforms and better discovery of vulnerabilities, rather than actual ongoing security problems at Microsoft.