Today for Patch Tuesday, Microsoft and Adobe are both coming out with critical fixes for a number of widely installed and attacked programs. Microsoft has 10 bulletins addressing a total of 33 vulnerabilities, and Adobe is releasing new versions of Adobe Reader, Adobe Flash and Coldfusion.
Two of the Microsoft bulletins, MS13-038 and MS13-037, are fixes for vulnerabilities in Internet Explorer (IE). They are both rated “critical” and should be implemented first in this month’s lineup of patches. MS13-038 addresses a 0-day vulnerability in IE 8, registered as CVE-2013-1347, which was found first served by the Department of Labor website on April 30th. On May 3rd, Microsoft acknowledged the issue in advisory KB2847140. On May 5th, a Metasploit module was published making the exploit code widely available, and on May 8th Microsoft provided a fix-It workaround. Today, we are getting the final version of code for this vulnerability - highly recommended as the most important patch to install this month. If you are interested in the timeline and more technical background, I recommend Eric Romang’s blog post which lays out many details including the Command and Control (C&C) infrastructure used by the attackers, and a map of the roughly 280 infected IP addresses, which were extracted from the database of poorly secured C&C server.
MS13-038 was an ad hoc update this month and kudos to Microsoft for turning it around in such a short timeframe. MS13-037, however, is the expected update to Internet Explorer that addresses the two vulnerabilities used by researchers at VUPEN to exploit IE10 during the PWN2OWN competition at CanSecWest in Vancouver in March. The exploit is rated a “1” on the Microsoft Exploitability Index, meaning that Microsoft expects exploits to be developed within the next 30 days and that the attack vector would be a malicious website. Patch this vulnerability as soon as possible.
By the way, Microsoft received reports of five vulnerabilities from ZDI as a result of PWN2OWN, two used in the IE exploit and three others used in exploits of Chrome, Firefox and Adobe Reader, illustrating the increased difficulty that exploit writers face with modern software. Typically a single vulnerability is not sufficient enough any more to gain control over the targeted machine, but a combination of vulnerabilities is needed for successful exploitation, which is a good argument for upgrading to the latest available software version as the 0-day on IE8, this month’s vulnerability in Word 2003 or the large number of vulnerabilities found in Publisher 2003. The more recent your software is, the smaller your attack surface becomes. For more details on the state of the vulnerabilities reported by ZDI, take a look at Microsoft’s post on the SRD blog.
Next on our priority list are three bulletins rated “important:” MS13-042, which addresses vulnerabilities in Microsoft Office Publisher; MS13-043 resolves a problem in Microsoft Word; and MS13-039, which fixes a driver level issue in Windows Server 2012. While we don’t see Publisher used often, we believe it is widely installed as it comes default in the full Microsoft Office Installation. The attack vector would be a malicious file sent via e-mail or through a link on a website. Patch MS13-042, or evaluate whether it can be uninstalled to save you future security updates. This reduces your attack surface and would have saved you roughly eight patches in the last couple of years. MS13-043 addresses a Remote Code Execution vulnerability in Microsoft Word that could be exploited through a malicious file sent to the user and which would have to be opened. It is rated “2” on the Exploitability Index, meaning an exploit is rather difficult to craft and is not expected in the next 30 days. It also applies only to installations of Word 2003. Still, if you run Office 2003, install this patch. MS13-039 addresses a Denial of Service issue in the HTTP library in Windows Server 2012 that is easy to exploit, So, if you run a web server under Windows 2012 make sure to apply this patch.
Adobe is also coming out with updates for three of its products: Coldfusion (APSB13-03); Flash - the web application development environment; and Reader (APSB13-15). The update to Coldfusion addresses a 0-day vulnerability that has an exploit in the wild; Adobe has given workaround instructions in APSA13-03. The Reader update APSB13-15 contains fixes for 27 vulnerabilities and affects all versions of Reader supported (9,X and XI) and is rated critical and includes Adobe's fixes for the PWN2OWN vulnerabilities as well - patch as soon as possible because Adobe Reader is frequently attacked with file-based exploits. The Flash update APSB13-14 addresses 7 vulnerabilities - all found by Google's security team, btw.
Overall, Microsoft bulletin counts are at least 25% higher than in the last couple of years, partly due to Microsoft’s decision to go to monthly updates for Internet Explorer. Still, it is somewhat surprising given that the market for private vulnerability disclosure seems to have gained structure quite a bit, and I would have expected it to absorb a good part of found vulnerabilities. Joseph Menn just published an excellent article on this subject over at Reuters - “Special Report: U.S. cyberwar strategy stokes fear of blowback”.