Category Archives: Vulnerability Management

APSB13-02 – Adobe Reader and Acrobat January 2013 Security Bulletin Review

Vulnerability Management, , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Adobe has release, the 8 January 2013, during his January Patch Tuesday, one Adobe Reader and Acrobat security bulletin dealing with 27 vulnerabilities. All these security bulletins have a Critical severity rating. 26 of these vulnerabilities have a 10.0 CVSS base score.

APSB13-02 – Security updates available for Adobe Reader and Acrobat

APSB13-02 is concerning :

  • Adobe Reader XI (11.0.0) for Windows and Macintosh
  • Adobe Reader X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Reader 9.5.2 and earlier 9.x versions for Windows and Macintosh
  • Adobe Reader 9.5.1 and earlier 9.x versions for Linux
  • Adobe Acrobat XI (11.0.0) for Windows and Macintosh
  • Adobe Acrobat X (10.1.4) and earlier 10.x versions for Windows and Macintosh
  • Adobe Acrobat 9.5.2 and earlier 9.x versions for Windows and Macintosh

CVE-2012-1530 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Nicolas Grégoire through iDefense’s Vulnerability Contributor Program.

CVE-2013-0601 (10.0 CVSS base score), CVE-2013-0602 (10.0 CVSS base score), CVE-2013-0605 (10.0 CVSS base score), CVE-2013-0606 (10.0 CVSS base score), CVE-2013-0607 (10.0 CVSS base score), CVE-2013-0608 (10.0 CVSS base score), CVE-2013-0609 (10.0 CVSS base score), CVE-2013-0610 (10.0 CVSS base score), CVE-2013-0611 (10.0 CVSS base score), CVE-2013-0612 (10.0 CVSS base score), CVE-2013-0613 (10.0 CVSS base score), CVE-2013-0614 (10.0 CVSS base score), CVE-2013-0615 (10.0 CVSS base score), CVE-2013-0616 (10.0 CVSS base score), CVE-2013-0617 (10.0 CVSS base score), CVE-2013-0618 (10.0 CVSS base score), CVE-2013-0619 (10.0 CVSS base score), CVE-2013-0620 (10.0 CVSS base score) and CVE-2013-0621 (10.0 CVSS base score), that could lead to code execution, have been discovered and reported by Mateusz Jurczyk and Gynvael Coldwind of the Google Security Team.

CVE-2013-0603 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Tom Gallagher of Microsoft and Microsoft Vulnerability Research (MSVR).

CVE-2013-0604 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program.

CVE-2013-0622 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Joel Geraci of Practical:PDF.

CVE-2013-0623 (10.0 CVSS base score), that could lead to code execution, has been discovered and reported by Alexander Gavrun through iDefense’s Vulnerability Contributor Program and by David D. Rude II of iDefense Labs.

CVE-2013-0624 (10.0 CVSS base score), that could bypass security, has been discovered and reported by Billy Rios, Federico Lanusse and Mauro Gentile.

CVE-2013-0626 (10.0 CVSS base score), that could bypass security, has been discovered and reported by an unknown security researcher.

CVE-2013-0627 (7.2 CVSS base score), that could lead to local privilege escalation, has been discovered and reported by Myke Hamada, Joost Bakker, Anand Bhat and Timothy McKenzie.

APSB13-01 – Adobe Flash January 2013 Security Bulletin Review

Vulnerability Management, , , ,

Adobe has release, the 8 January 2013, during his January Patch Tuesday, one Adobe Flash security bulletin dealing with one vulnerability. This security bulletin has a Critical severity rating. The associated vulnerability has a 10.0 CVSS base score.

APSB13-01 – Security updates available for Adobe Flash Player

APSB13-01 is concerning :

  • Adobe Flash Player 11.5.502.135 and earlier versions for Windows
  • Adobe Flash Player 11.5.502.136 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.258 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.34 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.29 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.5.0.880 and earlier versions for Windows, Adobe AIR 3.5.0.890 and earlier versions for Macintosh and Adobe AIR 3.5.0.880 for Android
  • Adobe AIR 3.5.0.880 SDK and Adobe AIR 3.5.0.890 SDK

CVE-2013-0630, with 10.0 CVSS base score, has been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

Microsoft January 2013 Patch Tuesday Review

Vulnerability Management, , , , , , , , , , , , , , , , , , , , , , , , ,

Microsoft has release, the 8 January 2013, during his January Patch Tuesday, two updated security advisories and seven security bulletins. On the seven security bulletins two of them has a Critical security rating.

Microsoft Security Advisory 973811

MSA-973811,released during August 2009, has been updated. The security advisory is regarding updates for Extended Protection for Authentication. Update v1.14 will provide more informations in the FAQ and Suggested Actions with information about attacks against NTLMv1  and LAN Manager network authentication. Applying Microsoft “Fix it“, for Windows XP or Windows Server 2003, enables NTLMv2 settings in order to take advantage of Extended Protection for Authentication.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2796096 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-01.

MS13-001 – Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution

MS13-001 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0011 has a 10.0 CVSS base score and was discovered and privately reported by un unknown security researcher.

Affected software are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012
  • Windows RT

MS13-002 – Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution

MS13-002 security update, classified as Critical, allowing remote code execution, is fixing two privately reported vulnerabilities. CVE-2013-0006 has a 9.3 CVSS base score and was discovered and privately reported by an unknown security researcher. CVE-2013-0007 has a 9.3 CVSS base score and was discovered and privately reported by Nicolas Gregoire of Agarri, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012
  • Windows RT

MS13-003 – Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege

MS13-003 security update, classified as Important, allowing elevation of privilege, is fixing two privately reported vulnerabilities. CVE-2013-0009 has a 4.3 CVSS base score and was discovered and privately reported by an anonymous security researcher. CVE-2013-0010 has a 4.3 CVSS base score and was discovered and privately reported by Andy Yang of Stratsec.

Affected softwares are:

  • Microsoft System Center Operations Manager 2007 Service Pack 1
  • Microsoft System Center Operations Manager 2007 R2

MS13-004 – Vulnerabilities in .NET Framework Could Allow Elevation of Privilege

MS13-004 security update, classified as Important, allowing elevation of privilege, is fixing four privately reported vulnerabilities. CVE-2013-0001 has a 7.1 CVSS base score and was discovered and privately reported by Jon Erickson of iSIGHT Partners Global Vulnerability PartnershipCVE-2013-0002 has a 9.3 CVSS base score and was discovered and privately reported by Vitaliy Toropov, working with Tipping Point’s Zero Day InitiativeCVE-2013-0003 has a 9.3 CVSS base score and was discovered and privately reported by Vitaliy Toropov, working with Tipping Point’s Zero Day InitiativeCVE-2013-0004 has a 9.3 CVSS base score and was discovered and privately reported by James Forshaw of Context Information Security.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012
  • Windows RT

MS13-005 – Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

MS13-005 security update, classified as Important, allowing elevation of privilege, is fixing one privately reported vulnerability. CVE-2013-0008 has a 6.9 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected softwares are:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012
  • Windows RT

MS13-006 – Vulnerability in Microsoft Windows Could Allow Security Feature Bypass

MS13-006 security update, classified as Important, allowing security feature bypass, is fixing one privately reported vulnerability. CVE-2013-0013 has a 5.8 CVSS base score and was discovered and privately reported by Kenichiro Katayama.

Affected softwares are:

  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012
  • Windows RT

MS13-007- Vulnerability in Open Data Protocol Could Allow Denial of Service

MS13-007 security update, classified as Important, allowing denial of service, is fixing one privately reported vulnerability. CVE-2013-0005 has a 7.8 CVSS base score and was discovered and privately reported by an anonymous security researcher.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows 8 for 32-bit Systems
  • Windows 8 for 64-bit Systems
  • Windows Server 2012

Microsoft Release Security Advisory MSA-2794220 for CFE Internet Explorer 0day

Vulnerability Management, , , , , , , , , , ,

Microsoft has release a security advisory MSA-2794220 for the Internet Explorer 0day used against Council on Foreign Relations (CFR.org) “drive-by” attack. This attack was reported the 28 December by “The Washington Free Beacon” but it seem that only 48 hours after the publication of this news an exploitable Metasploit module will be available during this long week-end end of the year.


CVE-2012-4792-metasploit-internet-explorer-0day

Microsoft confirm, in the security advisory, that the vulnerability is only affecting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8. Internet Explorer 9 and Internet Explorer 10 are not affected by the vulnerability. Also this Internet Explorer vulnerability has been identified as CVE-2012-4792.

Microsoft is not providing any date for a patch release, but will the appropriate actions, which may include providing a solution through the monthly security update release process, or an out-of-cycle security update. The next “Patch Tuesday” cycle is planned for the 8 January, but depending on how fast the exploit kits will include this new vulnerability, it will be maybe possible that Microsoft will release an out-of-band patch.

As always Microsoft is recommending the usage of Enhanced Mitigation Experience (EMET) in order to mitigate the attack.