Microsoft released seven bulletins on its first patch Tuesday of 2013, addressing 12 vulnerabilities in Windows, Office, Developer Tools and Windows Server.
According to Dustin Childs, group manager of Microsoft Trustworthy Computing, the bulletin administrators should look at first is MS13-002 that resolves two issues in Microsoft XML Core Services that could allow remote code execution if an affected system browsed to a specially crafted website.
Ziv Mador, director of security research at Trustwave, said: “While not impacted itself, Internet Explorer is used as the attack vector for this vulnerability. By tricking a visitor to visit a specially crafted web page XML Core Services will incorrectly parse certain XML content resulting in remote code execution.
“Just about everything uses XML Core Services including XP SP3 to Windows 8 and RT, as well as Server 2008, some installations of MS Office, SharePoint and even Groove Server. You may be offered more than one version of this patch depending on which versions of XML Core Services you have installed.”
Paul Henry, security and forensic analyst at Lumension, said: “Bulletin two is an XML parsing vulnerability affecting all versions of XML. It's a remote code execution issue, but realistically the browser is very likely the only attack vector for this. However, XML is a core Windows component, which is why it affects so many different versions. This is pretty similar to previous XML issues.”
Wolfgang Kandek, CTO of Qualys, said: “MS13-002 addresses a vulnerability in the MSXML library, which is an integral part of many Microsoft software packages. It is affecting every Windows version from XP to RT, plus all Office versions and a number of other packages, such as SharePoint and Groove. The most likely attack vector is a malicious web page. But an email with an Office document attachment can also be a viable alternative for attackers. Patch this one as quickly as possible.”
The other critical patch is MS13-001, which affects the spooler service in Windows 7 and 2008.
Ross Barrett, Rapid7's senior manager of security engineering, said: “This issue is not as severe as initially feared. It is an interesting defect in that an attacker could queue malicious print job headers to exploit clients which connect.
“However, as discussed by the Microsoft SRD team, it cannot be triggered by normal, built-in print job enumeration. No one should have a print spooler accessible outside the firewall, but that doesn't prevent exploit as an insider, local exploit for privilege elevation, or an attacker using this for further access once some other footing is gained.”
Mador said that this vulnerability was reported privately to Microsoft and so hasn't been seen in the wild yet, while BeyondTrust CTO Marc Maiffret said: “According to preliminary details, it appears an attacker would need to queue a specially crafted print job to a shared printer, once that print job was queued then an attacker would potentially be able to compromise systems that enumerate the shared printer.
“The catch, according to Microsoft, is that by default Windows itself does not enumerate shared printer queues in a vulnerable way but third party printer management software does in some cases. In Microsoft's bulletin, it says the only mitigating factor is firewalling or disabling the printer service. However, given the extra requirements, it seems harder to exploit than the bulletin would let on. This would normally be considered a wormable vulnerability; however, the default Windows drivers do provide access to the vulnerable functionality, so it would require third party software, such as manufacturers' drivers, to open the attack vector for this vulnerability.”
Andrew Storms, director of security operations for nCircle, said: “Print spooler bugs played a role in the infamous Stuxnet malware, but this bug isn't anything like the vulnerability Stuxnet exploited. This bug requires a watering hole-style attack method, so it'll be pretty popular in attacker forums. This bug should also be patched pronto.”
The remaining five bulletins are rated as ‘important' as they do not allow code execution. MS13-004 addresses several .NET issues; MS13-005 fixes a flaw in the win32k.sys kernel module that weakens the AppContainer sandbox in Windows 8; and MS13-006 prevents a protocol attack on SSL v3 that can happen when a Microsoft browser communicates with a third-party web server.
Bulletin MS13-007 fixes a denial-of-service vulnerability affecting the open data protocol. Henry said: “An attacker can provide very specific HTTP requests to a server that is open to this protocol service using a find and replace, which could be used to replace a single ‘a 'with a million ‘a's. As the server is processing this request, it would fill up all its memory, effectively crashing the service followed by the server.”
Finally, MS13-003 addresses a couple of cross-site scripting vulnerabilities within the System Center Operations Manager, including an elevation of privilege issue affecting the central update distribution service that enterprises use.
Barrett said: “MS13-003 is actually a cross-site scripting flaw in the Microsoft SCOM login page, however, it requires the attacker to know a valid user name.”
Adobe released security updates for their Air and Flash Player products yesterday, while Mozilla also released new versions of Mozilla Firefox and Thunderbird 18,