August 13, 2013

Microsoft has issued security updates to fix at least 23 distinct vulnerabilities in its Windows operating systems and other software. Three of the patch bundles released today address flaws rated “critical,” meaning that malware or miscreants can use them to break into Windows PCs without any help from users.

crackedwinLeading the critical updates is a cumulative patch for Internet Explorer (MS13-059) that affects every version of the browser on nearly all supported versions of Windows. In its advisory, Microsoft warns it is highly likely that attackers will soon develop exploit code to attack the flaws addressed in this patch. Indeed, according to Ross Barrett, manager of security engineering at Rapid7, the IE patch addresses a vulnerability first demonstrated at the Pwn2Own contest at the CanSecWest conference in March of this year.

Another critical update, MS13-060, is a browse-and-get-owned font vulnerability that affects users on Windows XP and Server 2003.  The final critical patch, MS13-061, tackles several flaws in Microsoft Exchange that stem from a third-party component from Oracle called Outside In.

Security experts differ over the which patches marked “important” in severity are the most interesting this month. Wolfgang Kandek, chief technology officer at vulnerability management firm Qualys, says that the most surprising patch in this category is MS13-063, a Windows kernel vulnerability that addresses another bug first disclosed (PDF) at this year’s CanSecWest. The vulnerability allows attackers to bypass an anti-exploitation protection built into Windows called address space layout randomization (ASLR). Kandek notes that the researcher who discovered that flaw — Yang Yu from Chinese security firm NSFocus — probably could have earned up to $100,000 for reporting that flaw to Microsoft, had he known Microsoft was going to start paying researchers for such bugs.

“Microsoft believes it could have qualified for one of the high-paying bounties (up to $100,000) of the current BlueHat program,” Kandek wrote. “Alas, at the time, the program did not exist, and Yang Yu had no way of knowing that the program was in the works.”

For his part, Rapid7’s Barrett said perhaps the most genuinely interesting vulnerability this month is MS13-062, which is reported as a flaw that allows lesser users to elevate their privileges on Windows.

“Microsoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong,” Barrett quipped.

Patches are available through Windows Update or via Automatic Updates. As always, if you experience any issues applying any of these patches, please leave a note in the comments section below.


30 thoughts on “Microsoft Patches Plug 23 Security Holes

  1. Old School

    KB2840628 left about 38 meg. of files and one empty folder in the Temp subfolder of the Windows folder.

  2. George G

    Thanks, Brian.

    I went right ahead to get and install the patches.

    On my Windows 7 desktop everything is going smooth. Last I looked download was complete (12 files) and half of them were already installed.

    On my Vista laptop I am having problems.
    Never got past “Preparing to install”
    I keep getting “Failed : 11 updates”.
    Tried 5X.
    I am getting Error Code 80200010

    According to MS that indicates internet connection problem (obviously not that in my case).
    If not that, then they recommend a manual “Clear the BITS queue of any current jobs” procedure.

    Nice job, MS !

    1. George G

      The manual procedure worked (it was quite simple to do).

      Want to mention that I got to the manual procedure via a Google search, using the error code. Even though it was on a MS webpage, the error investigation links from the MS update window did not have any connection to it.

      Also, I do not know if there is a connection, but the background color of the taskbar changed to white.

      1. Wayne

        The Windows Taskbar on my Vista Home Premium went from black to white…not only that, the Windows Sidebar also became white.

        1. Wayne

          It turned out that the Update had turned off my Windows Aero! After 2 hours, I was able to reset it to the original settings.

  3. Rabid Howler Monkey

    MS13-059 for Internet Explorer includes eleven vulnerabilities:

    o Internet Explorer Process Integrity Level Assignment Vulnerability
    o EUC-JP Character Encoding Vulnerability
    o Multiple [nine] Memory Corruption Vulnerabilities in Internet Explorer

    Enhanced Security Configuration (ESC) for Internet Explorer, which defaults on Windows server OSs, mitigates all but the IE Process Integrity Level Assignment vulnerability. From Microsoft’s security bulletin FAQ: ESC “is a group of preconfigured settings in Internet Explorer that can reduce the likelihood of a user or administrator downloading and running specially crafted web content on a server. This is a mitigating factor for websites that you have not added to the Internet Explorer Trusted sites zone.”

    Here’s a link to a description detailing how one uses ESC to add a web site to IE’s Trusted Zone:

    http://technet.microsoft.com/library/dd883248#addinternetsites

    Microsoft’s ESC for IE is analogous to using Firefox with the NoScript add-on to manage whitelisted web sites or using Google’s Chrome browser with its built-in whitelisting capability. I wish that Microsoft would make ESC available *as an option* to users of its Windows client OSs. Some of us prefer to whitelist our frequently-visited, legitimate web sites and, essentially, blacklist the rest of the Internet.

    So, Microsoft, how about an official Microsoft download for ESC on Windows client OSs or even an unofficial download similar to Michael Howard’s DropMyRights tool developed for Windows XP?

    1. SeymourB

      I have a sneaking suspicion everyone who’s demanding Microsoft release ESC for clients has never actually used ESC.

      ESC is so restrictive it basically breaks most, if not all, of the websites you visit. At that point you may as well not use IE and just rely on a third party browser. At which point it doesn’t matter if ESC is in place or not.

      1. Rabid Howler Monkey

        I use Firefox w/NoScript, Opera and Chromium web browser whitelisting capabilities. Of these three web browsers, Opera is the least friendly for whitelisting, requiring from the user:

        o a right-click on the web page to select ‘Edit site preferences …’ from the context menu
        o select the ‘Scripting’ Tab from the Site Preferences window
        o select ‘Enable JavaScript’ from the ‘Scripting’ Tab page

        And only the site one actually visits gets JavaScript enabled.

        This is no more onerous than using ESC for IE. It’s also optional to use.

        But, you’re correct about one thing, I will not touch IE for Internet use without ESC for IE.

  4. CooloutAC

    I wonder if its even safe to use prefetch on windows. I turn it off to save on disk thrashing….but I also turn prelink off on linux because it seems to defeat the purpose of ASLR or any file integrity checker.

  5. d

    While it is not used much, we still have an XP machine at work. We have had numerous problems with automatic updates, so we turned it off. By going to the Update site manually, it takes about two hours to connect, after hitting the “Custom” button.

    For each update of Microsoft Security Essentials, for some reason, we receive an error code. I believe it has something to do with the .NET framework. This has happened over the last few months for each update of MSE.

    Now, when I hit the “Custom” button, I must remember to look and uncheck any updates for MSE. I wish, when I hit the “Update” button on MSE to get the virus definitions that it would also pulled down any application updates.

    1. CooloutAC

      @d

      Are any connections being blocked? Maybe check with your office admin, could be why its so slow also.

      I kept having an error message when doing these updates myself. I did select MSE definitions for one of the optional updates, But I’m not sure its related. My issue was I had to allow the following outgoing connection before it installed all the updates. 72.167.239.239

      Its a go daddy host. anyone know anything about that? It always freaks me out when I do a windows update, and I have to allow ip addresses not registered to Microsoft for it to work. I wish I could do a trace or something. This address has come up before on my system and I assume its legit…but Does Microsoft have a list of related IP’s for these updates anywhere?

      Things really need to change. The whole internet infrastructure needs to change period. Anyone know if CRISP is still going to happen at least? What is the word on that??

      1. CooloutAC

        @d check your hosts file, your IE network settings, or maybe change dns servers…

        XP will no longer be supported next year, maybe put a lightweight linux distro on there instead. 🙂

        1. SF49er

          Yes!
          Almost all our previous XP pcs,
          are now running either,
          Ubuntu or Mint Linux.

          Linux installed in minutes, is very stable,
          & runs fine 98% of the apps we need
          to operate our small business.

          Those few critical “Windows-only” progs we need,
          also run ok under Linux
          with the Wine emulator.

          I realize that not everybody can switch to Linux,
          so our business is lucky
          – we can and are acting on it!

          After all the growing Windows instability & security problems,
          we’re not going to spend more time, money & effort
          with MS Windows…
          that’s enough!

          We need to get back to real work.

          We need to

          1. Rabid Howler Monkey

            SF49er wrote:
            “Almost all our previous XP pcs, are now running either, Ubuntu or Mint Linux.”

            This definitely lowers one’s attack surface, but don’t ignore Brian’s “Tools for a Safer PC” as these are applicable to all operating systems:

            http://krebsonsecurity.com/tools-for-a-safer-pc/

            Just two notes about the “tools” link with regard to the GNU/Linux desktop:

            o “Antivirus Software” – don’t forget than many of your customers and suppliers likely use Windows, so do it for them
            o “Force Apps to Play in the Sandbox” – with Ubuntu and Linux Mint, this would be AppArmor

            And, finally, an FYI on banking malware that very recently surfaced for GNU/Linux:

            “Thieves Reaching for Linux—”Hand of Thief” Trojan Targets Linux #INTH3WILD
            https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/

            Also be aware that Canonical’s ubuntuforums.org site was very recently hacked and the miscreants absconded with approximately 1.8 million user email addresses. Which brings us back to the first of Brian’s 3 rules in the “tools” link:

            ” If you didn’t go looking for it, don’t install it”

            P.S. As a small business, Brian’s “Online Banking Best Practices for Businesses” might also be of interest:

            http://krebsonsecurity.com/online-banking-best-practices-for-businesses/

            A GNU/Linux LiveCD or dedicated GNU/Linux dedicated PC still make sense for online banking.

        1. CooloutAC

          ya I know, but is it related to microsoft update? Is it one of the rented servers for load distribution? How would one find that out? how do we know noone intercepts windows updates and spreads malicious malware that way?

          One of the things CRISP was supposed to do, which was suppose do replace WHOIS, would tell us what organizations owned certain ip addresses, from my understanding no? Did this ip address come up for anybody elses windows or mse updates?

    2. George G

      I found that XP always took a lot longer than either Vista or W7 to tell me what updates were available.

  6. The Utah Data Center/N.S.A./ Area 51/Room 641A/XKeyscore

    No problems on my Windows 8 machine

    1. Nosmo

      Have you really had the joy of working with Xkeyscore? What about Blackpearl or Treasuremap?

  7. nonegiven

    A few years ago on XP, I had to uninstall every bit of .NET and reinstall it piece by piece, by hand, because of an update failure. It worked after that, it just took a while and I’ve been wary of auto update and careful with .NET updates ever since.

    If the computer is really slow, a clean OS reinstall could help immensely. So much that I plan to do it regularly.

  8. Can't We All Just Get Along?

    2 questions re:
    ​Update for Root Certificates for Windows XP [August 2013] (KB931125)
    http://support.microsoft.com/kb/931125
    Date last published: 8/13/2013
    Download size: 436 KB
    This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. Adding additional root certificates to your computer enables you to use Extended Validation (EV) certificates in Internet Explorer, a greater range of security enhanced Web browsing, encrypted e-mail, and security enhanced code delivery. After you install this item, you may have to restart your computer. Once you have installed this item, it cannot be removed.

    ​1.) Why aren’t ​Updates for Root Certificates considered “High Priority” rather than “Optional” software updates?​

    ​2.) Why aren’t all Updates processed through Microsoft Update done via the https: secure protocol?​ As a lowly (non-programmer) XP end-user, this question reveals my lack of a complete understanding about the inner workings of certificates, but it just seems commonsensical to me that the updating of security features would be conducted on a secure basis, like online banking, no?

    Thanks in advance if anybody has an understandable answer. 😉

    1. jaded

      1) The list of root authorities is a “Who’s Who” of companies that are trusted today. If they are adding new authorities, they aren’t yet in widespread use, so not adding them won’t have much impact yet.

      2) Updates historically weren’t sent via https: for two reasons. First, SSL used to be very expensive. Second, it was seen as unnecessary. Updates aren’t secrets that need to be guarded against interception. The updates are just code that anybody can have. All they need is a digital signature to assure the end user’s computer that the files haven’t been tampered with.

      But attackers have gotten way smarter.

      It’s been demonstrated that an attacker can hijack a Windows Update session, and read the list of updates being requested by the client. They can then tell the client “Windows Update server down, try later.” The attacker now has an exact list of all the unpatched vulnerabilities the client suffers from, and can choose an exploit precisely targeted at that computer’s weakness.

      SSL used to be slow and expensive, requiring a lot more hardware to handle a lot of users. But SSL appliances are now relatively cheap and commonplace, so hosting companies can encrypt a lot more of their traffic. And Microsoft has gotten much more serious about security.

  9. Stratocaster

    What, no Adobe updates this month? Heartbreaker….

  10. Sandy

    I run Windows 7, IE 10 and Outlook 2010. After installing all of these updates, I no longer get images or html in my email. Can anyone please tell me what setting(s) I need to change?

  11. Evie

    You asked for any issues with the recent update. I installed the recent updates yesterday, August 15, on my Win 7 Dell Latitude 6530, bought 13 months ago from Dell.

    As of today I keep getting notices that “This copy of Windows is not genuine.” It tells me to go online to resolve. The note takes me to a Microsoft.com site and seems genuine; I have downloaded “Required Windows Validation Components”and yes, Microsoft tells me my copy is not genuine. I flatly do not believe it, having bought the computer from Dell, and used it daily for over a year.
    Any comments or advice, gratefully received!

        1. Evie

          Eventually I ended up with Dell Support where a pleasant person told me the same thing had also had happened to her personal machine a couple of years ago. After a system restore to before the updates, and re-installing them, all is well.

          Funny how insulted I felt!

          Thanks again, Brian, for your sound advice in everything.

  12. Chris Thomas

    Bit mean of M$ not to reward Yang Yu with an ex gratia payment.

Comments are closed.