According to Paul Henry, security and forensic analyst at Lumension, it’s another heavy month of patches this month from Microsoft. There are nine bulletins, with two critical and seven important. While nine may seem like a lot, there are a few pieces of good news this month. First, there are only two critical bulletins and most of the patches are rated important. Second, most of the impact is on the legacy code base, rather than the current code that has been impacted more than usual over the last few months. If your system is running the latest and greatest versions of software – as you should always do, since newest is usually the most secure – then you should be minimally impacted this month. And finally, Microsoft is not your biggest issue this month, despite nine patches.
As we enter into our first patch of Q2, it’s worthwhile to look at the numbers. This year, Microsoft has issued 35 bulletins so far, with an average of almost nine per month, of which about three are critical and six are important. Compare to 2012, where there were 28 bulletins by April, averaging seven per month. Though the overall number is up from 2012, the number of average critical vulnerabilities is holding steady at about three, while important vulnerabilities make up the difference, averaging four in 2012. With the number of important bulletins increasing, but critical holding steady, we can infer that Microsoft gets better every year at finding the low-risk, low-impact issues and getting them fixed in a timely manner. This is good news.
Before diving into the patches, there are a few other Microsoft issues to note, including an expected Flash update next week, which users should be prepared for. More importantly, this month marks the one year “death clock” for XP. In April 2014, Microsoft will end support for Windows XP. If you haven’t already, it’s time to start thinking about migrating to a new OS if you’re still running XP.
Click through for a rundown of patches for this April, as identified by Paul Henry, security and forensic analyst at Lumension.
For the April patches, your first priority is MS13-028, which is a use-after-free issue in all versions of IE. This is one of the few bulletins this month that has a critical impact on the current code, hitting Windows 8, Windows RT and Windows 7 with a critical remote code execution issue. It’s a pretty run-of-the-mill bug for the most part. However, there is a defense-in-depth issue here that was not assigned a CVE because it’s dependent on the user having Java 6.0 or older installed. Given the number of issues Java’s had lately, hopefully no one is still running old versions of Java. If you haven’t updated the software to 7.0 or newer, please do so immediately. Java 7.0 has an automatic update feature that will help keep machines secure with minimal effort from users as we wait for HTML5 to be ready for broad use. Henry recommends that this bulletin be your first patch and you should update Internet Explorer while you’re at it.
MS13-029 (RDP) will be your next priority. It affects RDP, but is not the type of issue we typically see in Windows RDP. This is a problem with the Windows RDP Active X Control, so it can only be launched through a browser running Active X control. However, it affects all versions of the RDP client. One of the important things here is the server skews are rated moderate, but client skews are ranked critical. The Active X Control can be disabled for those who don’t use it, which is a good way to help mitigate the risk of this vulnerability.
MS13-030 is an information disclosure issue in SharePoint Server 2013. If a user has multiple tenants on SharePoint, the information disclosure issue could allow authenticated users to view other users’ documents in SharePoint.
MS13-031 is a Windows kernel elevation of privilege issue. There are two CVEs addressed here that would allow a local low-rights user to be elevated to system-level access. One of the interesting things to note is that while one CVE affects all versions of Windows, the other affects only Windows 8 and is the result of faster, newer hardware for the Windows 8 system.
MS13-032 fixes a denial of service vulnerability in Active Directory affecting all versions of Active Directory and ADAM, which is the Active Directory Application Mode that serves as the lightweight version of Active Directory. An attacker in the Active Directory domain could send a malformed LDS request. When the request is processed, the server becomes stuck in a memory loop. The server will recover when the request is processed, but an attacker could continue sending requests to sustain the attack. This is an important vulnerability, but if you are running an Active Directory server, you really need to update this quickly.
Next is MS13-033, which affects CSRSS, a core Windows component. This is a memory corruption vulnerability that would allow a low-rights user system-level access, but does not affect newer versions of Windows.
There are two CVEs addressed here that would allow a local low-rights user to be elevated to system-level access. MS13-034 is an elevation of privilege vulnerability in Windows Defender on Windows 8. An unquoted path error would allow an attacker to change the default mode strings or load order, effectively allowing the attacker to point to different binaries to load, instead of what’s intended by the OS. This would require that an attacker had already loaded malicious binary to the machine, which is why it is ranked important rather than critical. By quoting the path, the binaries would be locked, and the risk would be mitigated.
MS13-035 is an HTML sanitization issue. We’ve had a couple of these over the last year; the last time Microsoft updated this was MS12-066. Typically, an HTML sanitization issue needs to be cleaned up across multiple products and this is no different, affecting Office, InfoPath and SharePoint Server 2010.
MS13-036 is another kernel mode drivers issue, similar to the other kernel issue this month. There are four CVEs for this patch. Three allow a local user to use kernel raise conditions to elevate to system access. The fourth CVE is a moderate elevation of privilege issue, which is unusual for Microsoft. To leverage this CVE, an attacker would need to be an admin, which removes the need to leverage it. Alternatively, a low-rights user would need to use a specially crafted external device, such as an USB. Last month, Microsoft had an interesting USB bug that got a lot of attention. This is nothing like that. Last month’s bug allowed computers to be attacked regardless of the user’s log-in status. This month’s bug only allows a logged-on, active system to be attacked, so logon credentials are required. There are easier ways for an attacker to get in.
As Henry noted at the beginning, Microsoft is not your biggest problem this month, as it hasn’t been for a while. For once, Java is not a new problem this month. However, there are a few other interesting stories going around that he wants to call out.
First is the very concerning and ongoing issue with Apache, known as Darkleech. The Apache server software is apparently being used to facilitate drive-by malware attacks. The attack is very dynamic, randomly serving malicious links to select users, but not others. The inconsistency is making it very difficult for the security community to detect, let alone resolve. It’s an incredibly stealthy piece of malware and despite the fact that attacks date all the way back to August, there is still no concrete information about mitigation. We’ll be hearing a lot more about Darkleech over the next few months as we learn more about it. In the meantime, keep your security software up to date and be on the lookout for the attack.
Henry is also hearing a lot about DDoS again this month, thanks to the attack on Spamhaus, the largest attack in history, which is being credited with attempting to “break the Internet.” Though cybersecurity attacks are occasionally blown out of proportion, in this case that’s exactly what the attack tried to do. It used misconfigured DNS servers to generate and amplify traffic for the attack.