Tag Archives: CVE-2013-0393

Microsoft February 2013 Patch Tuesday Review

Microsoft has release, the 12 February 2013, during his February Patch Tuesday, one updated security advisory and twelve security bulletins. On the twelve security bulletins five of them have a Critical security rating.

Microsoft Security Advisory 2755801

MSA-2755801,released during September 2012, has been updated. The security advisory is regarding updates for vulnerabilities in Adobe Flash Player in Internet Explorer 10. Update KB2805940 has been released for supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-05.

MS13-009 – Cumulative Security Update for Internet Explorer

MS13-009 security update, classified as Critical, allowing remote code execution, is the fix for 13 reported vulnerabilities. CVE-2013-0015 (4.3 CVSS base score) was discovered and reported by Masato Kinugawa. CVE-2013-0018 (9.3 CVSS base score) and CVE-2013-0022 (9.3 CVSS base score) were discovered and privately reported by OmairCVE-2013-0019 (9.3 CVSS base score) was discovered and privately reported by SkyLined, working with HP’s Zero Day InitiativeCVE-2013-0020 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with the Exodus Intelligence, and by Stephen Fewer of Harmony SecurityCVE-2013-0021 (9.3 CVSS base score) was discovered and privately reported by Tencent PC Manager. CVE-2013-0023 (9.3 CVSS base score) was discovered and privately reported by Arthur Gerkis, working with HP’s Zero Day InitiativeCVE-2013-0024 (9.3 CVSS base score) was discovered and privately reported by an anonymous researcher, working with HP’s Zero Day InitiativeCVE-2013-0025 (9.3 CVSS base score) and CVE-2013-0028 (9.3 CVSS base score) were discovered and privately reported by Scott Bell of Security-Assessment.comCVE-2013-0026 (9.3 CVSS base score) was discovered and privately reported by  Jose A Vazquez of Yenteasy Security Research, working with the Exodus Intelligence. CVE-2013-0027 (9.3 CVSS base score) was discovered and privately reported by Mark Yason of IBM X-Force. CVE-2013-0029 (9.3 CVSS base score) was discovered and privately reported by Stephen Fewer of Harmony Security and Aniway.Aniway@gmail.com, working with HP’s Zero Day Initiative.

MS13-010 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution

MS13-010 security update, classified as Critical, allowing remote code execution, is the fix for one privately reported vulnerability. CVE-2013-0030 (9.3 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-011 – Vulnerability in Media Decompression Could Allow Remote Code Execution

MS13-011 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-0077 (9.3 CVSS base score) was discovered and reported by Tencent Security Team.

MS13-012 – Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution

MS13-012 security update, classified as Critical, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2013-0418 (6.8 CVSS base score) and CVE-2013-0393 (6.8 CVSS base score).

MS13-020 – Vulnerability in OLE Automation Could Allow Remote Code Execution

MS13-020 security update, classified as Critical, allowing remote code execution, is the fix for one publicly reported vulnerability. CVE-2013-1313 (9.3 CVSS base score) was discovered and reported by an anonymous researcher, working with HP’s Zero Day Initiative.

MS13-013 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-013 security update, classified as Important, allowing remote code execution, is the fix for two publicly reported vulnerability linked to Oracle Outside In vulnerabilities fixed during January 2013 Critical Patch Update. These vulnerabilities are CVE-2012-3214 (2.1 CVSS base score) and CVE-2012-3217 (2.1 CVSS base score).

MS13-014 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS13-014 security update, classified as Important, allowing denial of service, is the fix for one privately reported vulnerability. CVE-2013-1281 (7.1 CVSS base score) was discovered and privately reported by an anonymous researcher.

MS13-015 – Vulnerability in .NET Framework Could Allow Elevation of Privilege

MS13-015 security update, classified as Important, allowing elevation of privileges, is the fix for one privately reported vulnerability. CVE-2013-0073 (10.0 CVSS base score) was discovered and privately reported by James Forshaw of Context Information Security.

MS13-016 – Vulnerabilities in Windows Kernel-Mode Driver Could Allow Elevation of Privilege

MS13-016 security update, classified as Important, allowing elevation of privileges, is the fix for 30 privately reported vulnerability. CVE-2013-1248 (4.9 CVSS base score) and CVE-2013-1249 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc, and Tencent Security Team. CVE-2013-1251 (4.9 CVSS base score), CVE-2013-1252 (4.9 CVSS base score) and CVE-2013-1253 (4.9 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1250 (4.9 CVSS base score), CVE-2013-1254 (4.9 CVSS base score), CVE-2013-1255 (4.9 CVSS base score), CVE-2013-1256 (4.9 CVSS base score), CVE-2013-1257 (4.9 CVSS base score), CVE-2013-1258 (4.9 CVSS base score), CVE-2013-1259 (4.9 CVSS base score), CVE-2013-1260 (4.9 CVSS base score), CVE-2013-1261 (4.9 CVSS base score), CVE-2013-1262 (4.9 CVSS base score), CVE-2013-1263 (4.9 CVSS base score), CVE-2013-1264 (4.9 CVSS base score), CVE-2013-1265 (4.9 CVSS base score), CVE-2013-1266 (4.9 CVSS base score), CVE-2013-1267 (4.9 CVSS base score), CVE-2013-1268 (4.9 CVSS base score), CVE-2013-1269 (4.9 CVSS base score), CVE-2013-1270 (4.9 CVSS base score), CVE-2013-1271 (4.9 CVSS base score), CVE-2013-1272 (4.9 CVSS base score), CVE-2013-1273 (4.9 CVSS base score), CVE-2013-1274 (4.9 CVSS base score), CVE-2013-1275 (4.9 CVSS base score), CVE-2013-1276 (4.9 CVSS base score) and CVE-2013-1277 (4.9 CVSS base score) were discovered and privately reported by Mateusz “j00ru” Jurczyk of Google Inc.

MS13-017 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege

MS13-017 security update, classified as Important, allowing elevation of privileges, is the fix for three privately reported vulnerability. CVE-2013-1278 (7.2 CVSS base score) and CVE-2013-1279 (7.2 CVSS base score) were discovered and privately reported by Gynvael Coldwind and Mateusz “j00ru” Jurczyk of Google Inc. CVE-2013-1280 (7.2 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-018 – Vulnerability in TCP/IP Could Allow Denial of Service

MS13-018 security update, classified as Important, allowing denial of service, is the fix for a privately reported vulnerability. CVE-2013-0075 (7.1 CVSS base score) was discovered and privately reported by an unknown security researcher.

MS13-019 – Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege

MS13-019 security update, classified as Important, allowing elevation of privileges, is the fix for a publicly reported vulnerability. CVE-2013-0076 (7.2 CVSS base score) was discovered and privately reported by Max DeLiso.

Oracle Critical Patch Update January 2013 Review

Oracle has provide his Critical Patch Update (CPU) for January 2013 how has been released on Tuesday, January 15. This CPU contains 86 security vulnerability fixes across 24 of Oracle products. On the 86 security vulnerabilities 45 of them may be remotely exploitable without authentication. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Database Mobile. 9 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

One vulnerability is reported for “Oracle Database Server”. CVE-2012-3220 vulnerability has a CVSS score of 9.0. Affected component is “Spatial” and exploitation require authentication. CVSS score is 9.0 for Windows platform and 6.5 for Linux and Unix.

Oracle Database Mobile/Lite Server

5 vulnerabilities are reported for “Oracle Database Mobile/Lite Server“, all of them are remotely exploitable without authentication. The highest CVSS score is 10.0. Affected component is “Mobile Server“.

CVE-2013-0361 and CVE-2013-0366 have a CVSS base score of 10.0CVE-2013-0362CVE-2013-0363 and CVE-2013-0364 have a CVSS base score of 7.8.

Oracle Fusion Middleware

6 vulnerabilities are reported for “Oracle Fusion Middleware” and 4 of them may be remotely exploitable without authentication. The highest CVSS score of this vulnerability is 5.0. Affected component is “Management Pack for Oracle GoldenGate“, “Oracle GoldenGate Veridata“, “Oracle WebLogic Server“, “Oracle Access Manager“, “Oracle Application Server Single Sign-On” and “Oracle Outside In Technology“.

CVE-2012-0022 and CVE-2011-5035 have a CVSS base score of 5.0CVE-2012-5097 and CVE-2012-1677 have a CVSS base score of 4.3CVE-2013-0393 and CVE-2013-0418 have a CVSS base score of 2.1.

Oracle Enterprise Manager Grid Control

13 vulnerabilities are reported for “Oracle Enterprise Manager Grid Control” and all of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.5. Affected components are “APM – Application Performance Management” and “Enterprise Manager Base Platform“.

CVE-2013-0359 has a CVSS base score of 7.5CVE-2013-0360 and CVE-2013-0396 have a CVSS base score of 5.0CVE-2013-0352CVE-2013-0374CVE-2013-0355CVE-2013-0372CVE-2013-0373CVE-2013-0353CVE-2013-0354CVE-2013-0358CVE-2012-3219 and CVE-2012-5062 have a CVSS base score of 4.3.

Oracle E-Business Suite

9 vulnerabilities are reported for “Oracle E-Business Suite” and 7 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.4. Affected components are “Oracle Applications Framework“, “Oracle CRM Technical Foundation“, “Oracle Marketing“, “Oracle Universal Work Queue“, “Human Resources“, “Oracle Applications Technology Stack” and “Oracle Payroll“.

CVE-2013-0397CVE-2013-0381CVE-2013-0382 and CVE-2012-3190 have a CVSS base score of 6.4CVE-2012-3218 has a CVSS base score of 5.5CVE-2013-0376CVE-2013-0377 and CVE-2013-0380 have a CVSS base score of 4.3CVE-2013-0390 has a CVSS base score of 2.1.

Oracle Supply Chain Products

One vulnerability is reported for “Oracle Supply Chain Products” and CVE-2013-0370 has a CVSS base score of 2.1. Affected component is “Oracle Agile PLM Framework“.

Oracle PeopleSoft Products

12 vulnerabilities are reported for “Oracle PeopleSoft Products” and 7 of them may be remotely exploitable without authentication. The highest CVSS base score of these vulnerabilities is 5.5. Affected component are “PeopleSoft PeopleTools” and “PeopleSoft HRMS“.

CVE-2013-0369 and CVE-2013-0391 have a CVSS base score of 5.5CVE-2013-0394 has a CVSS base score of 5.0CVE-2013-0388CVE-2013-0356CVE-2013-0357CVE-2012-1755CVE-2013-0387CVE-2012-5059 and CVE-2013-0392 have a CVSS base score of 4.3CVE-2013-0395 has a CVSS base score of 4.0CVE-2012-3192 has a CVSS base score of 3.5.

Oracle JD Edwards Products

One vulnerability is reported for “Oracle JD Edwards Products” and CVE-2012-1678 has a CVSS base score of 3.5. Affected component is “JD Edwards EnterpriseOne Tools“.

Oracle Siebel CRM

10 vulnerabilities are reported for “Oracle Siebel CRM” and 5 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.0. Affected component is “Siebel CRM“.

CVE-2012-1701CVE-2012-3170 and CVE-2012-3169 have a CVSS base score of 5.0CVE-2013-0378 and CVE-2013-0379 have a CVSS base score of 4.3CVE-2013-0365CVE-2012-1680CVE-2012-3172CVE-2012-3168 and CVE-2012-1700 have a CVSS base score of 4.0.

Oracle Sun Products Suite

8 vulnerabilities are reported for “Oracle Sun Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.6. Affected components are “Solaris” and “Sun Storage Common Array Manager (CAM)“.

CVE-2013-0400 and CVE-2013-0399 have a CVSS base score of 6.6CVE-2013-0415 has a CVSS base score of 6.0. CVE-2013-0417 has a CVSS base score of 5.0CVE-2013-0407 has a CVSS base score of 3.6CVE-2012-0569 and CVE-2013-0414 have a CVSS base score of 3.3CVE-2012-3178 has a CVSS base score of 2.1.

Oracle Virtualization

One vulnerability is reported for “Oracle Virtualization” and CVE-2013-0420 has a CVSS base score of these vulnerabilities is 2.4. Affected component is “VirtualBox“.

Oracle MySQL

18 vulnerabilities are reported for “Oracle MySQL” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 9.0. Affected components are “MySQL Server“.

CVE-2012-5612 and CVE-2012-5611 have a CVSS base score of 9.0CVE-2012-5060CVE-2013-0384CVE-2013-0389 and CVE-2013-0386 have a CVSS base score of 6.8CVE-2013-0385 has a CVSS base score of 6.6CVE-2013-0375 has a CVSS base score of 5.5CVE-2012-1702 has a CVSS base score of 5.0CVE-2013-0383 has a CVSS base score of 4.3CVE-2013-0368CVE-2012-0572, CVE-2013-0371CVE-2012-0574CVE-2012-1705CVE-2012-0578 and CVE-2013-0367 have a CVSS base score of 4.0CVE-2012-5096 has a CVSS base score of 3.5.