According to Paul Henry, security and forensic analyst at Lumension, it looks like 2013 is off to a fairly average start with seven bulletins: two critical and five important. You may recall that January of 2012 also came in with seven bulletins, though only one was critical. After closing out 2012 with more consistency in the number of patches per month, we can only hope that 2013 will continue in that same vein. Fortunately, nothing patched this month is under active exploit and everything reported correctly, so there’s actually pretty minimal risk to users.
This month may be average, but that doesn’t mean it’ll be an easy one for IT. There are a lot of restarts this month and they impact nearly all Windows operating systems.
Before jumping into this month’s bulletins, it’s interesting, though not surprising, to note that Microsoft is still working on a fix for the IE zero-day vulnerability. Henry figures that we’ll either see an out-of-band patch or something next month. If you haven’t already, install the Fix It workaround, especially if you’re using an older version of IE. The Fix It will block all the known exploits, and if new attacks come up, your browser will simply crash, which is preferable to the alternative.
Click through for a run-down on January’s Patch Tuesday updates, provided by Paul Henry, security and forensic analyst at Lumension.
Bulletin 1 is probably the most important vulnerability, affecting Print Spooler. There is a header format in the print jobs. If your header is constructed a certain way, you can actually get to remote code executions. From an attack perspective, you could create a bunch of print jobs with malformed headers, send them to the network printer so they queue up in order, and if someone else on the network prints to the same printer, Print Spooler will actually go through and enumerate all the pending print jobs, which gives you the remote code execution.
Bulletin 2 is an XML parsing vulnerability affecting all versions of XML. It’s a remote code execution issue, but realistically the browser is very likely the only attack vector for this. However, XML is a core Windows component, which is why it affects so many different versions. This is pretty similar to previous XML issues.
Looking at the important bulletins, Bulletin 3 is an elevation of privilege issue affecting the central update distribution service that enterprises use. It’s a cross-site scripting vulnerability in the SCOM console, which Microsoft typically updates. Attackers would need to know the admin, get them to follow a link and do it at a pretty specific time, which is difficult to do.
Next, Bulletin 4 is also an elevation of privilege issue affecting all versions of .net. However, what’s really interesting here is that these types of vulnerabilities used to be remote code executions. Then, a sandbox was introduced into all versions of .net over the last few months, resulting in a downgrade in the exploitability of these types of vulnerabilities.
Bulletin 5 is a kernel mode driver elevation of privilege issue. There are two barriers that must be exploited for this attack to work. For example, if you’re using an application with a built-in sandbox, such as Adobe PDF Reader, you have to first bypass the sandbox, which requires its own vulnerability, and you can then go into kernel mode to bump up your integrity level. Interestingly, this exploit only allows you to bump up to a middle rights user, not to admin rights.
Bulletin 6 is an update to SSL and TLS. With this issue, when a Microsoft property communicates with a non-Microsoft property, it was possible that the third-party downgrades and negotiations were not handled properly and the entire communication would be downgraded to SSL v.2, which is not as strong as SSL v.3. Fortunately, this isn’t an attack that is being exploited, but is more of a security feature that needed to be cleaned up a bit in order to live up to its promise.
And finally, there is Bulletin 7, which is a denial of service vulnerability affecting the open data protocol that a lot of services use. An attacker can provide very specific HTTP requests to a server that is open to this protocol service using a find and replace, which could be used to replace a single “a” with a million “a”s. As the server is processing this request, it would fill up all its memory, effectively crashing the service followed by the server.
Henry also wants to point out that on Thursday, Microsoft revoked three certificates from a Turkish certificate authority, EKO, which had been issued to Google.com. Microsoft moved them to the untrusted store, following on the heels of what Google and Mozilla have already done. If you’re running on anything below Windows 8, be sure to check for the updates to those certificates. If you’re on Windows 8 or above, you should be safe because your certificates will automatically be updated. Henry advises you to use automatic updates to be sure they are always protected by the most recent certificates.
There is also a Nvidia display driver issue being fixed by Nvidia right now. Unfortunately, Microsoft’s Driver Logo Program, which vets all drivers before rereleasing them, may slow the release of this patch to Microsoft users. This issue does affect both Windows 8 and Windows RT.