Monster super-critical Patch Tuesday for February 2013

Filed Under: Denial of Service, Featured, Internet Explorer, Microsoft, Vulnerability, Windows

candy-heart170As frequent Naked Security readers know, I write up most of the Patch Tuesday announcements throughout the year. More often than not I take a measured approach, encourage folks to patch and leave it at that.

This month is one of the exceptions. Not only has Microsoft fixed 56 vulnerabilities, many of them are critical and can be exploited by simply hitting the wrong web site at the wrong moment.

17 of those vulnerabilities are in the 5 critical patches released this morning. The first is probably the most important, MS13-009.

This patch fixes 13 privately disclosed vulnerabilities in Internet Explorer that could result in remote code execution (RCE). In more simple terms, browsing to a malicious web site could result in malware being installed on your computer.

Often the distinction between privately and publicly disclosed vulnerabilities can make a difference as to the urgency of applying the fix. In this case, despite the bugs being privately disclosed Microsoft is warning that exploitation in the wild is imminent.

MS13-010 is a fix for one of the same CVEs included in MS13-009. You might consider it a double-check to make sure all systems are fixed against this particular VML vulnerability.

MS13-011 fixes a publicly known vulnerability in a Windows media codec. Opening a maliciously crafted media file could result in code execution.

Microsoft Exchange servers with Oracle's Outside In technology could be vulnerable to both a denial of service (DoS) and an RCE if they don't apply MS13-012.

rtf-170The last of the critical patches, MS13-020, fixes flaws in the RTF file format that could allow RCE if a malicious RTF is opened in Wordpad or Word. Microsoft warns that this is likely to be exploited in the wild within 30 days.

The remaining fixes are all rated Important and mostly are elevation of privilege (EoP) and DoS vulnerabilities impacting Sharepoint, NFS server, .NET, Windows kernel (33 privately disclosed EoP vulns), TCP/IP and CSRSS.

The advice this Tuesday isn't any different than any other Patch Tuesday. Patch early, patch often. If you are an Internet Explorer shop though, make sure you prioritize those patches to be deployed as soon as possible.

, , ,

You might like

16 Responses to Monster super-critical Patch Tuesday for February 2013

  1. edward · 625 days ago

    hi are any of these patches exploitable if I surf with a user account instead of a an admin account? meaning I would have to provide it a password to do any of these? Im just curious as since I switched to a low level user account access and firefox no script i have had less issues with family pcs.

    • JimboC_Security · 624 days ago

      Hi Edward,

      I also use a standard account for daily use on Windows 7 64 bit.

      It is a good defense but it shouldn’t be your only defense. The Elevation of Privilege flaws being patched might still affect you since those flaws result in admin privileges being granted to an outsider if the exploit is successful.

      You are correct you would need to provide your password before an exploit could install kernel mode drivers or any other changes that require admin privileges (this would not protect against successfully exploit Elevation of Privilege flaws) but an exploit could still perform any action that does not need admin rights.

      The above explanation is my understanding of how standard and admin accounts affect exploits. To anyone that feels I have misinterpreted anything, please feel free to correct me.

    • JimboC_Security · 624 days ago

      Firefox with No Script is a great way of reducing your attack surface via your web browser. I would also recommend using Microsoft EMET which is available from the following link:
      http://www.microsoft.com/emet

      How to configure EMET for most systems is demonstrated in the following video. A discussion of its benefits is also provided:
      http://www.microsoft.com/en-us/showcase/details.a...

      EDIT: 14th Feb 2013:

      It is not necessary to follow the advice contained in the links to the Rationally Paranoid site below since the All.xml Deployment Profile included with EMET 3.0 and EMET 3.5 Tech Preview provides full protection for Firefox and Mozilla Thunderbird. Using this profile is the simplest method and is explained in the video linked to above.

      I have provided the links below if you wish to protect other commonly used software with EMET.
      http://www.rationallyparanoid.com/articles/micros... http://www.rationallyparanoid.com/articles/micros...

      I hope this helps. Thank you.

  2. Chaotic Neutral · 625 days ago

    Where do I download this patch?

  3. KotBegemot · 624 days ago

    check ur plugins and IE at the same time

  4. MikeP_UK · 624 days ago

    Our XP Pro SP3 installation needed 13 updates. It had been checked as usual on Monday so needed none then. Our Vista Business installation also needed 13 updates, again it had been checked Monday and needed none then. So it seems many will 13 patches, not 12 as Chester suggests.
    Both systems need a FULL restart (from OFF) and not just a normal reboot as some of the changes affect services loaded first, before the Windows GUI environment starts. Just doing a simple restart does not restart those services. The system tray notification icons get screwed and some may require a re-install to have shown again!
    Overall, a typical MS batch that has still got some errors probably due to poor test coverage.

  5. jimmy b · 624 days ago

    Your link to rationallyparanoid is being truncated

    http://www.rationallyparanoid.com/articles/micros
    Not Found

    The requested URL /articles/micros was not found on this server.

    Additionally, a 403 Forbidden error was encountered while trying to use an ErrorDocument to handle the request.

    >Additional info about configuring EMET for use with Firefox is >provided in the following links:

    &gt ;http://www.rationallyparanoid.com/articles/micros...
    &gt ;http://www.rationallyparanoid.com/articles/micros...

      • JimboC_Security · 624 days ago

        Hi Jimmy B,

        Thanks for pointing this out.

        It’s strange, the links are displaying fine for me with IE 10 Release Preview on Windows 7 64 bit. I tried copying and pasting them and they work fine too. Those extra characters that you posted at the beginning of the links are not visible to me.

        Google Chrome 25.0.1364.68 Beta also has no issues with these links.

        Thanks for posting a correction. If you or anyone else any has any further issues with the links that I posted, please let me know.

  6. makeitman · 623 days ago

    Anyone notice their Vista machine being hosed after this update? Can't get mine to start this AM.

    • JimboC_Security · 620 days ago

      Hi makeitman,

      My apologies for not replying sooner. I only patched my Vista Ultimate 64 bit SP2 PC yesterday. It installed all of the following updates successfully:

      kb2792100
      kb2797052
      kb2789646 (.Net 2.0 SP2)
      kb2789642 (.Net 4.0)
      kb2778344
      kb2780091
      kb2790655
      kb2799494
      kb890830

      I have since rebooted this PC several times and it continues to work as normal.

      I would suggest using Start-up repair or System Restore to restore your PC back to a working state:
      http://windows.microsoft.com/en-US/windows-vista/...
      http://windows.microsoft.com/en-US/windows-vista/...

      The second link above also explains how to access the System Restore feature while your PC is attempting to boot.

    • JimboC_Security · 620 days ago

      If you have installed any programs after the security updates or have made other settings changes, you should undo those changes or uninstall those programs. You made need to access Windows Safe mode to do this:
      http://windows.microsoft.com/en-US/windows-vista/...

      If you believe that the Microsoft Security Updates are causing the start-up issues for you, you can contact Microsoft Technical Support. You SHOULD not be charged for technical support. Microsoft provides free support for issues caused by security updates.

      If they determine the issue was caused by something else they will charge between US $70 to US $100 to resolve it.

      You can contact Microsoft Support from the following link:
      http://support.microsoft.com/select/?target=assis...

      Alternatively you could take your computer to a local repair shop for them to begin troubleshooting the issue.

      If I can provide any further assistance, please let me know. Thank you.

  7. macgyver826 · 622 days ago

    Chester, the updates didn't show up in my computer until this morning.

    Question: You show MS numbers above, as in MS13-009. I can't relate any of the numbers to the updates from MS, because they use KB numbers, as in KB2792100.

    What's up with that? How do we relate your numbers to the update numbers that show up in the MS updates?

    • JimboC_Security · 619 days ago

      Hi macgyver826,

      I will show you how to relate the update numbers i.e. the kb number (knowledge base) numbers to the Microsoft Security (MS) bulletin numbers.

      For example, MS13-009 is available to view at the following link:
      http://technet.microsoft.com/en-us/security/bulle...

      In the title at the top of page you will see the following:

      Microsoft Security Bulletin MS13-009 - Critical
      Cumulative Security Update for Internet Explorer (2792100)

      The 2792100 is the kb number i.e. kb2792100. To view the knowledge base article for this number, please visit the following link, it references the above security bulletin (MS13-009):
      http://support.microsoft.com/kb/2792100

    • JimboC_Security · 619 days ago

      For some security bulletins like Internet Explorer the bulletin number matches the update that will be delivered to your PC. This is not always the case.

      For example, MS13-015 for the .Net Framework available from the following link:
      http://technet.microsoft.com/en-us/security/bulle...

      Its kb number is kb2800277. However this in this case, it is only a reference number. kb2800277 will not be downloaded to your PC since it essentially doesn’t exist.

      The actual update numbers are listed further down the page, for example, for Windows XP SP3 for .Net Framework 2.0 SP2 the update number is kb2789643. While for .Net Framework 4.0 the number is kb2789642.

      If you have both of the versions of the .Net Framework installed on your PC, you will be offered both updates thus 2 updates can be part of the same security bulletin.

      These numbers are the updates that will be downloaded to your PC. You can tell that kb2800277 is only a reference number since it does not match any of the updates listed on the page.

    • JimboC_Security · 619 days ago

      When updates are offered by Windows Update you can find out what bulletin they match with by clicking the update in the list displayed to you and choosing the blue "More Information" link that appears either below the update (for Windows XP) or displayed on the right hand side of the Windows Update window (Windows Vista, Windows 7 and Windows 8).

      I hope the above explanation answers your question. If I can provide any further clarification, please let me know. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.