Microsoft released seven security bulletins today in its first Patch Tuesday update of the year.
Two of the seven bulletins are rated ‘critical’, the highest security rating for Microsoft, while others are classified as ‘Important’. Of the critical bulletins, the first addresses a vulnerability that exists in the way Microsoft Windows Print Spooler handles specially-crafted print jobs. If exploited, an attacker could corrupt memory in such a way that an attacker could execute arbitrary code.
“MS13-001 affects the spooler service Windows 7 and 2008, this issue is not as severe as initially feared,” said Rapid7’s Senior Manager for Security Engineering Ross Barrett. “It is an interesting defect in that an attacker could queue malicious print job headers to exploit clients which connect. However, as discussed by the Microsoft SRD (Security Research and Defense) team, it cannot be triggered by normal, built-in print job enumeration.”
“No one should have a print spooler accessible outside the firewall, but that doesn’t prevent exploit as an insider, local exploit for privilege elevation, or an attacker using this for further access once some other footing is gained,” he added.
The second critical bulletin – MS13-002 – covers two vulnerabilities in Microsoft XML Core Services, and impacts a number of products: Windows, Microsoft Office, Microsoft Developer Tools and Microsoft Server Software. To exploit the vulnerabilities, the attacker would have to lure the user to a specially-crafted webpage. If the attacker is successfully, they will be able to execute code remotely on the victim’s machine.
“The XML bug should be at the top of everyone’s ‘patch immediately’ list,” said Andrew Storms, director of security operations for nCircle. “This bug is going to be a popular target for attackers. If you can’t do anything else right away, at least patch this one post haste. This critical XML bug affects every version of Windows in one way or another because XML is used by a wide range of operating system components.”
Missing from the updates is a patch for the Internet Explorer zero-day bug the company warned about in late December.
“We are getting seven bulletins, with two bulletins considered ‘critical’ and five bulletins ‘important’,” blogged Wolfgang Kandek, CTO of Qualys. “The one thing upsetting this normal balance is a current 0-day vulnerability that affects Internet Explorer 6, 7 and 8 — which represents 90 percent of the IE install base at this time — but which is not part of the Patch Tuesday release.”
In response to the attacks, Microsoft released a Fix It tool for users. However vulnerability research firm Exodus Intelligence has said they discovered a way to bypass the Fix It and exploit the bug. Microsoft has said that it has reached out to the firm and is continuing work on a patch.
In addition to the Microsoft updates, Adobe Systems has released patches for Adobe Flash Player, Adobe Reader and Adobe Acrobat. While the Flash Player update addresses just one vulnerability, the update for Acrobat and Reader addresses more than two dozen. In both cases, the patches deal with issues that could be exploited to enable an attacker to crash or take control of the system. However, Adobe said it has not seen any of the vulnerabilities targeted in attacks.