Category Archives: Vulnerability Management

Microsoft April 2013 Patch Tuesday Review

Microsoft has release, the 9 April 2013, during his April Patch Tuesday, one updated security advisory and nine security bulletins. On the nine security bulletins two of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. KB2833510 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-11.

MS13-028 – Cumulative Security Update for Internet Explorer

MS13-028 security update, classified as Critical, allowing remote code execution, is the fix for 2 privately reported vulnerabilities in Internet Explorer. CVE-2013-1303 (6.8 CVSS base score) and CVE-2013-1304 (6.8 CVSS base score) were discovered and privately reported by Ivan Fratric and Ben Hawkes of Google Security Team.

MS13-029 – Vulnerability in Remote Desktop Client Could Allow Remote Code Execution

MS13-029 security update, classified as Critical, allowing remote code execution, is the fix for 1 privately reported vulnerability in Windows Remote Desktop Client. CVE-2013-1296 (9.3 CVSS base score) was discovered and privately reported by c1d2d9acc746ae45eeb477b97fa74688, working with HP’s Zero Day Initiative.

MS13-030 – Vulnerability in SharePoint Could Allow Information Disclosure

MS13-030 security update, classified as Important, allowing information disclosure, is the fix for 1 publicly reported vulnerability in Microsoft SharePoint Server. CVE-2013-1290 (3.5 CVSS base score) was publicly disclosed.

MS13-031 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS13-031 security update, classified as Important, allowing elevation of privileges, is the fix for 2 privately reported vulnerabilities in Microsoft Windows. CVE-2013-1284 (4.9 CVSS base score) and CVE-2013-1294 (4.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc.

MS13-032 – Vulnerability in Active Directory Could Lead to Denial of Service

MS13-032 security update, classified as Important, allowing denial of service, is the fix for 1 privately reported vulnerability in Active Directory. CVE-2013-1282 (unknown CVSS base score) was discovered and privately reported.

MS13-033 – Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

MS13-033 security update, classified as Important, allowing elevation of privileges, is the fix for 1 privately reported vulnerability. CVE-2013-1295 (5.0 CVSS base score) was discovered and privately reported by George Georgiev Valkov.

MS13-034 – Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege

MS13-034 security update, classified as Important, allowing elevation of privileges, is the fix for 1 privately reported vulnerability in the Microsoft Antimalware Client. CVE-2013-0078 (7.2 CVSS base score) was discovered and privately reported.

MS13-035 – Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege

MS13-035 security update, classified as Important, allowing elevation of privileges, is the fix for 1 privately reported vulnerability in the Microsoft Office. CVE-2013-1289 (4.3 CVSS base score) was discovered and privately reported by Drew Hintz of Google Security Team.

MS13-036 – Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege

MS13-036 security update, classified as Important, allowing elevation of privileges, is the fix for three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. CVE-2013-1283 (6.9 CVSS base score) and CVE-2013-1292 (6.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google IncCVE-2013-1293 (6.9 CVSS base score) was publicly disclosed by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google IncCVE-2013-1291 (7.1 CVSS base score) was discovered and privately reported by Wang Yu.

APSB13-09 – Adobe Flash March 2013 Security Bulletin Review

Adobe has release, the 12 March 2013, during his March Patch Tuesday, one Adobe Flash security bulletin dealing with four vulnerabilities. This security bulletin has a Critical severity rating. The associated vulnerabilities have all 10.0 CVSS base score.

APSB13-09 – Security updates available for Adobe Flash Player

APSB13-09 is concerning :

  • Adobe Flash Player 11.6.602.171 and earlier versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.273 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.47 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.43 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.6.0.597 and earlier versions for Windows, Macintosh and Android
  • Adobe AIR 3.6.0.597 SDK and earlier versions
  • Adobe AIR 3.6.0.599 SDK & Compiler and earlier versions

CVE-2013-0646 (10.0 CVSS base score) has been discovered and privately reported by an anonymously through iDefense’s Vulnerability Contributor ProgramCVE-2013-0650 (10.0 CVSS base score) has been discovered and privately reported by a Attila Suszter of Reversing on Windows blogCVE-2013-1371 (10.0 CVSS base score) and CVE-2013-1375 (10.0 CVSS base score) have been discovered and privately reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Microsoft March 2013 Patch Tuesday Review

Microsoft has release, the 12 March 2013, during his March Patch Tuesday, one updated security advisory and seven security bulletins. On the seven security bulletins four of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2824670 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-09.

MS13-021 – Cumulative Security Update for Internet Explorer

MS13-021 security update, classified as Critical, allowing remote code execution, is the fix for 8 privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. CVE-2013-0087 (9.3 CVSS base score) was discovered and privately reported by Arseniy Akuney of TELUS Security LabsCVE-2013-0088 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0089 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0090 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security, working with HP’s Zero Day Initiative, and SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0091 (9.3 CVSS base score) was discovered and privately reported by Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0092 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day InitiativeCVE-2013-0093 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with HP’s Zero Day InitiativeCVE-2013-0094 (9.3 CVSS base score) was discovered and privately reported by Simon Zuckerbraun, working with HP’s Zero Day InitiativeCVE-2013-1288 (9.3 CVSS base score) was discovered and publicly disclosed by Gen Chen of Venustech ADLab and by Qihoo 360 Security Center.

MS13-022 – Vulnerability in Silverlight Could Allow Remote Code Execution

MS13-022 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0074 (9.3 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-023 – Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution

MS13-023 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0079 (9.3 CVSS base score) was discovered and privately reported by [email protected], working with VeriSign iDefense Labs.

MS13-024 – Vulnerabilities in SharePoint Could Allow Elevation of Privilege

MS13-024 security update, classified as Critical, allowing elevation of privilege, is the fix for four privately reported vulnerabilities. CVE-2013-0080 (7.5 CVSS base score) was discovered and privately reported by Emanuel Bronshtein of BugSecCVE-2013-0083 (4.3 CVSS base score) was discovered and privately reported by Sunil Yadav of INR Labs (Network Intelligence India). CVE-2013-0084 (7.5 CVSS base score) was discovered and privately reported by Moritz Jodeit of n.runs AGCVE-2013-0085 (7.8 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-025 – Vulnerability in Microsoft OneNote Could Allow Information Disclosure

MS13-025 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability. CVE-2013-0086 (5.0 CVSS base score) was discovered and reported by Christopher Gabriel of Telos Corporation.

MS13-026 – Vulnerability in Office Outlook for Mac Could Allow Information Disclosure

MS13-026 security update, classified as Important, allowing information disclosure, is the fix for one privately reported vulnerability. CVE-2013-0095 (5.0 CVSS base score) was discovered and reported by Nick Semenkovich.

MS13-027 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

MS13-027 security update, classified as Important, allowing elevation of privilege, is the fix for three privately reported vulnerabilities. CVE-2013-1285 (7.2 CVSS base score), CVE-2013-1286 (7.2 CVSS base score) and CVE-2013-1287 (7.2 CVSS base score) were discovered and reported by Andy Davis of NCC Group.

An interesting blog post is describing MS13-027 “Addressing an issue in the USB driver requiring physical access“. This fix look like to the Stuxnet flaw.

Oracle update to Java 7 Update 17 and to Java 6 Update 43, but…

Oracle, stressed by the new Java 0day discovered exploited in the wild, seem to have release new updates for Java 7, Java 6 and Java 5. Java 7 is updated to version 1.7.0_17, Java 6 is updated to version 1.6.0_43 and Java 5 is updated to version 1.5.0_41.

java7u17

These update are pushed an “Oracle Security Alert for CVE-2013-1493” who fix CVE-2013-1493 vulnerability related to the Java 0day, but also another vulnerability, aka CVE-2013-0809, affecting Java running in web browsers. Both vulnerabilities have a CVSS base score of 10.0 and are remotely exploitable without authentication.

Vulnerabilities are credited to an anonymous Reporter of TippingPoint’s Zero Day Initiative, axtaxt via Tipping Point’s Zero Day Initiative, Darien Kindlund of FireEye, Vitaliy Toropov via iDefense and to Vitaliy Toropov via TippingPoint. As you may remember, CVE-2013-1493 was discovered exploited in the wild by FireEye, but it seem that this vulnerability was also previously discovered by a security researcher working with 0day brokers. It is not the first time that we see 0days exploited in the wild, previously reported to 0day brokers !

Also, Security Explorations, a security firm responsible for identifying most of the latest Java vulnerabilities, is not credited for any of the patched vulnerabilities. So they are still bunch off reported vulnerabilities in Java.

Last but not least, Security Explorations has report, today, five new security issues for Java 7 who can be used to gain a complete Java security sandbox bypass in the environmentof Java SE 7 Update 15.