Microsoft released seven bulletins addressing vulnerabilities in Internet Explorer, Microsoft Silverlight, Sharepoint, Visio, OneNote, and Office for Mac as part of its March Patch Tuesday for March 2013.
Of the seven bulletins, four were rated “critical” and three rated “important,” Microsoft said in its Patch Tuesday security bulletin notification on Tuesday.
The most important bulletin is the cumulative update for Internet Explorer (MS13-01) fixing nine distinct bugs, one of which was being exploited (CVE-2013-1288) in the wild for a month, said Wolfgang Kandek, CTO of Qualys. None of the vulnerabilities exploited during the recent Pwn2Own competition at CanSecWest are included in this patch. Interestingly enough, the issues fixed in this bulletin does not appear to impact IE 10 for Windows 7, but does affect IE 10 on Windows 8, Paul Henry, security analyst for Lumension, told SecurityWeek.
The remaining three critical bulletins fixed vulnerabilities in Silverlight, SharePoint and Visio Viewer. The Silverlight 5 patch (MS13-022) closed three remote code execution flaws, which if exploited successfully, could be used to take control of Windows and Mac OS X systems. The file type flaw in Visio Viewer (MS13-023), if left unpatched, could be triggered by the user viewing a malicious Visio diagram sent over email, Henry warned.
Microsoft also fixed a persistent cross-site-scripting bug on SharePoint (MS13-024), where the attacker plants attack code inside a search query, which is executed when the administrator reviews the existing queries. The elevation of privilege issue means the code would execute with administrator privileges, giving the attacker full control. The SharePoint bulletin also fixed a moderate denial-of-service bug and two important elevation of privilege flaws.
While there were bulletins for Microsoft Office, with the critical patch for Visio and two important ones for OneNote and Office for Mac, none of the core Office products were affected this month, said Tyler Reguly, technical manager of security research and development at nCircle.
Even though Microsoft rated the USB drive issue (MS13-027) as only “important” because physical access to the targeted machine is required, security experts said it was a serious issue and administrators needed to prioritize the bulletin highly.
Thanks to an elevation of privilege flaw in the kernel mode drivers, an attacker could execute code on any computer just by plugging in a USB drive. Called an “evil maid attack,” this type of an attack doesn’t need the user to be logged in, or the screen unlocked. The computer just needs to be on. This means practically anyone who has access to an unattended computer, including the cleaning crew at the office, the staff at the hotel, or anyone who can take a few seconds to insert that device into the USB port.
Normally, with this sort of vulnerability, a low-level authorized user might be elevated to the system level. In this case, the vulnerability is not in the USB device, but in the USB driver already loaded on the system, which means the attacker has access to system level memory, Henry said.
“Once an attack has access, they can overwrite the location of the admin credentials in RAM,” Henry said.
Administrators should either install the patch immediately, or deploy a security policy temporarily disabling all USB ports across the enterprise so that people can’t use the ports until the patch is completely deployed, recommended Andrew Storms, director of security operations at nCircle.
“You’ve seen this attack method in movies for years, and it’s now showing in enterprises all over the world,” said Storms.
“Just imagine what a properly motivated janitorial staff could do with this vulnerability in just one evening. This vulnerability also seriously impacts security on all those public kiosks and co-location centers that don’t have locked cabinets. The potential for harm with this vulnerability can’t be over stated,” Storms said.
While the number of bulletins—at seven—pegs this Patch Tuesday release as average, the company fixed “higher-than-average” types of vulnerabilities this month, Kandek said.
Henry also noted that Microsoft has released more patches in the three months in 2013 than this time last year. As of March 2012, Microsoft averaged seven patches, of which two were critical, each month, compared to this year, where the company is averaging an average of nine patches, of which four are critical, each month.
“We can only hope that this increase is due to a combination of new platforms and better discovery of vulnerabilities, rather than actual ongoing security problems at Microsoft,” Henry said.
Separately, Microsoft also said it will also begin releasing security updates for Windows Store apps as they become available. To the user, the security updates will appear identical to a regular app update, but the details for the update and the security issue will be listed in a security advisory, said Dustin Childs, group manager of response communications, at Microsoft Trustworthy Computing group.
