APSB13-09 – Adobe Flash March 2013 Security Bulletin Review

Adobe has release, the 12 March 2013, during his March Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating. The associated vulnerabilities have all 10.0 CVSS base score.

APSB13-09 – Security updates available for Adobe Flash Player

APSB13-09 is concerning :

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

CVE-2013-0646 (10.0 CVSS base score) has been discovered and privately reported by an anonymously through iDefense’s Vulnerability Contributor ProgramCVE-2013-0650 (10.0 CVSS base score) has been discovered and privately reported by a Attila Suszter of Reversing on Windows blogCVE-2013-1371 (10.0 CVSS base score) and CVE-2013-1375 (10.0 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Microsoft March 2013 Patch Tuesday Review

Microsoft has release, the 12 March 2013, during his March Patch Tuesday, one updated security advisory and seven security bulletins. On the seven security bulletins four of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2824670 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-09.

MS13-021 – Cumulative Security Update for Internet Explorer

MS13-021 security update, classified as Critical, allowing remote code execution, is the fix for 8 privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. CVE-2013-0087 (9.3 CVSS base score) was discovered and privately reported by Arseniy Akuney of TELUS Security LabsCVE-2013-0088 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0089 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0090 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security, working with HP’s Zero Day Initiative, and SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0091 (9.3 CVSS base score) was discovered and privately reported by Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0092 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day InitiativeCVE-2013-0093 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day InitiativeCVE-2013-0094 (9.3 CVSS base score) was discovered and privately reported by Simon Zuckerbraun, working with HP’s Zero Day InitiativeCVE-2013-1288 (9.3 CVSS base score) was discovered and publicly disclosed by Gen Chen of Venustech ADLab and by Qihoo 360 Security Center.

MS13-022 – Vulnerability in Silverlight Could Allow Remote Code Execution

MS13-022 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0074 (9.3 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-023 – Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

MS13-023 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0079 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with VeriSign iDefense Labs.

MS13-024 – Vulnerabilities in SharePoint Could Allow Elevation of Privilege

MS13-024 security update, classified as Critical, allowing elevation of privilege, is the fix for four privately reported vulnerabilities. CVE-2013-0080 (7.5 CVSS base score) was discovered and privately reported by Emanuel Bronshtein of BugSecCVE-2013-0083 (4.3 CVSS base score) was discovered and privately reported by Sunil Yadav of INR Labs (Network Intelligence India). CVE-2013-0084 (7.5 CVSS base score) was discovered and privately reported by Moritz Jodeit of n.runs AGCVE-2013-0085 (7.8 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-025 – Vulnerability in Microsoft OneNote Could Allow Information Disclosure

MS13-025 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability. CVE-2013-0086 (5.0 CVSS base score) was discovered and reported by Christopher Gabriel of Telos Corporation.

MS13-026 – Vulnerability in Office Outlook for Mac Could Allow Information Disclosure

MS13-026 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability. CVE-2013-0095 (5.0 CVSS base score) was discovered and reported by Nick Semenkovich.

MS13-027 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

MS13-027 security update, classified as Important, allowing elevation of privilege, is the fix for three privately reported vulnerabilities. CVE-2013-1285 (7.2 CVSS base score), CVE-2013-1286 (7.2 CVSS base score) and CVE-2013-1287 (7.2 CVSS base score) were discovered and reported by Andy Davis of NCC Group.

An interesting blog post is describing MS13-027 “Addressing an issue in the USB driver requiring physical access“. This fix look like to the Stuxnet flaw.

APSB13-01 – Adobe Flash January 2013 Security Bulletin Review

Adobe has release, the 8 January 2013, during his January Patch Tuesday, one Adobe Flash security bulletin dealing with one vulnerability. This security bulletin has a Critical severity rating. The associated vulnerability has a 10.0 CVSS base score.

APSB13-01 – Security updates available for Adobe Flash Player

APSB13-01 is concerning :

  • Adobe Flash Player 11.5.502.135 and earlier versions for Windows
  • Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.258 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.880 and earlier versions for Windows, Adobe AIR 3.5.0.890 and earlier versions for Macintosh and Adobe AIR 3.5.0.880 for Android
  • Adobe AIR 3.5.0.880 SDK and Adobe AIR 3.5.0.890 SDK

CVE-2013-0630, with 10.0 CVSS base score, has been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.