No Luck O’ the Irish for IT this St. Patty’s Day

    IT admins can’t seem to catch a break this year. First, the never-ending stream of Java issues that has kept folks on their toes since January. Now they’ve got another busy month of patches ahead of them, with seven total patches from Microsoft, four of which are critical. However, once again the issues outside of Microsoft will likely eclipse the Patch Tuesday patches this month.

    According to Paul Henry, security and forensic analyst at Lumension, three months into 2013 and already we’re seeing higher numbers of patches from Microsoft, particularly across critical patches. Last year at this time, Microsoft was averaging seven patches, only two of which were critical. This year, Microsoft has so far averaged close to nine patches, about four of which are critical. To really put things in perspective, by March of 2011, Microsoft was averaging close to six patches, with around one critical patch. We can only hope that this increase is due to a combination of new platforms and better discovery of vulnerabilities, rather than actual ongoing security problems at Microsoft.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 1

    Click through for a rundown of this month’s Patch Tuesday updates, provided by Paul Henry, security and forensic analyst at Lumension.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 2

    According to Henry, your top priority is going to be MS13-021, which is a critical patch for IE addressing nine CVEs. It’s a cumulative update for IE. An interesting fact of note is that Microsoft released IE 10 for Windows 7 this past February and IE 10 is actually not affected on that platform. However, what really stands out here is that it does affect IE 10 on Windows 8 with some remote code execution vulnerabilities. Unfortunately, this represents the latest and greatest of Microsoft’s coding and we’re already finding critical issues with it. Fortunately, none of these “use after free” issues are being publicly exploited. “Use after free” is receiving more attention recently. However, Henry wants to emphasize that it’s not the delivery mechanism that’s a problem. The problem is not taking care of the end game: preventing unauthorized binary from running on your machine in the first place.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 3

    MS13-022 is your second priority. It’s a critical update for a remote code execution issue in Silverlight 5. This browse-an-own attack is a pretty standard one, where users might browse to a website that has malicious content. One important thing to note here is Silverlight 4 is no longer supported by Microsoft. Most users will be on Silverlight 5 already, since many common websites automatically upgrade you. However, if you are still on the old version, you need to upgrade in addition to installing this patch.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 4

    MS13-027 should be your third priority for patching this month, even though it’s ranked important by Microsoft because it requires physical access to pull off. Regardless, it’s a pretty scary vulnerability. This is an elevation of privilege in kernel mode drivers. Normally, with this sort of vulnerability, a low-level authorized user might be elevated to the system level. However, this one is a little different. If your system is actively running and an infected USB is inserted, the kernel mode drivers for USB will actually load and mount the USB device before making the OS aware that the USB is available for use. The vulnerability here is in the USB driver, so the infected driver is already loaded before the OS is really even used. This would then get an attacker into system-level memory, where they could get code execution running at the system level.

    This is scarily similar to existing toolsets like Inception, which allow attackers direct memory access through a firewire or thunderbolt port. Once an attack has access, they can overwrite the location of the admin credentials in RAM. For both Inception and this vulnerability, the computer doesn’t need to be logged in or even unlocked. If Inception were to be updated for this vulnerability, an attacker could do a lot of damage to your machine. Physical access is required, which is why Microsoft has rated it important. Nonetheless, Henry recommends you put this pretty high up on your patch priority list, right behind MS13-021 and MS13-022.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 5

    Next on the list of critical patches is MS13-023, which is a remote code execution issue in Microsoft Visio Viewer. It’s a pretty standard-looking file type vulnerability issue. The attack vector for this would be receiving an email with a contaminated Visio diagram, which might be useful for a spear phishing attack, but is otherwise pretty low-key as an issue.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 6

    The last of the critical updates is MS13-024, which is an elevation of privilege issue with SharePoint. Interestingly, Henry points out, only one of the four CVEs is a critical one. That elevation of privilege vulnerability, which looks eerily like a cross-site scripting issue, would allow attackers to read and write into memory and tamper with content. The other CVEs are a moderate class denial of service and two important elevation of privilege issues. 

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 7

    MS13-025 is an important information disclosure vulnerability in OneNote. If you received a malicious OneNote file via email and opened it, you might give the attacker a look at your other currently open OneNote tabs. For heavy users of OneNote, there is likely to be a mix of personal and professional content in your files.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 8

    Next is MS13-026, which is an important issue for Outlook for Mac. Essentially, it’s a fingerprinting vulnerability. Email spammers will send a bunch of spam email to determine if your email address is valid, which they could then use for other things. Fortunately, the only thing this vulnerability will do is disclose whether or not your email is real. There are unfortunately no mitigation techniques for this, so Mac users will want to install this one quickly.

    No Luck O’ the Irish for IT this St. Patty’s Day - slide 9

    Java has been a problem for quite some time now and is continuing to rear its ugly head – averaging one every day for the last week. More vulnerabilities are out in the wild and Oracle has its hands full keeping the platform patched and ready to go. If you haven’t already, update to the latest version of Java immediately and uninstall all older versions. If you aren’t using Java, uninstall it or disable it. This will be one of the best ways to protect yourself as IT continues to wrestle with a more long-term solution to the Java problem.

    Henry also recommends taking a look at this recent post where he’s listed some tips to help you deal with the Java problem short of revamping your endpoint security strategy.

    Get the Free Newsletter!

    Subscribe to Daily Tech Insider for top news, trends, and analysis.

    Latest Articles