Microsoft Patch Tuesday Report: Endpoint Perspective

This month, Microsoft’s Patch Tuesday bundle includes two separate updates for Internet Explorer; the first (MS13-037) is a cumulative update for Internet Explorer. The second is a fix (MS13-038) specifically for a critical bug in IE 8 that hackers and malware have been using to break into Windows computers.

This vulnerability first surfaced on May 3rd, when it became clear that it was being used to push drive-by-download malware from a hacked US Department of Labor microsite.  The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Days after the initial disclosure, an exploit for this vulnerability was packaged into an easy-to-use module for the popular Metasploit framework.  This neatly weaponizes the exploit, and makes it easily accessible to anyone with the inclination to download it.  From here it’s only a matter of time before the attack is rolled into the common black market exploit kits.  When that happens, it becomes a common part of every attacker’s bag-of-tricks for the foreseeable future.

Last week, Microsoft released a stopgap “Fix-it” tool to help blunt the threat from the IE8 zero-day flaw. If you installed that interim fix, Microsoft recommends taking a moment to disable it before applying today’s patches.

This threat gives us a good window into how McAfee provides layered protection for our customers, from the endpoint out to the network perimeter.  Subscribers to McAfee Labs Security Advisories would have seen a steady stream of information coming from our threat researchers describing the threat, and how our products provide protection:

  • On May 6th  McAfee Labs released vulnerability check content to allow MVM customers to identify vulnerable systems across the enterprise
  • On May 6th McAfee Labs released a new Network Security Platform IPS signature to identify and block exploits of this vulnerability
  • On May 7th  McAfee Labs verifies that existing behavioral and application whitelisting techniques included in McAfee VirusScan, McAfee Host Intrusion Prevention, and McAfee Application Control provide protection from exploits on the endpoint.
  • On May 12th McAfee Labs released specific signatures designed to detect and block known exploits in McAfee VirusScan and McAfee Web Gateway.

In summary, customers running the current McAfee Endpoint Protection suite on their endpoints enjoyed protection from this exploit from the moment it surfaced.  As the details of the vulnerability and exploits emerged, additional signatures provided customers with greater visibility and awareness of how their networks are being attacked, as well as additional options for protection at the network layer.  This is how security should work, demonstrating great resilience as well as deep situational awareness.

In total, Microsoft released 10 patches this week, addressing 33 individual vulnerabilities.  Only the two previously-mentioned IE patches are identified by Microsoft as critical.  This month’s patches include the following:

  • (MS13-037) Cumulative Security Update for Internet Explorer (2829530)
  • (MS13-038) Security Update for Internet Explorer (2847204)
  • (MS13-039) Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
  • (MS13-040) Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
  • (MS13-041) Vulnerability in Lync Could Allow Remote Code Execution (2834695)
  • (MS13-042) Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution
  • (MS13-043) Vulnerabilities in Microsoft Word Could Allow Remote Code Execution
  • (MS13-044) Vulnerability in Visio Could Allow Information Disclosure
  • (MS13-045) Vulnerability in Windows Essentials Could Allow Information Disclosure
  • (MS13-046) Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege

McAfee’s coverage for this month’s vulnerabilities is as follows:

  • McAfee VirusScan’s buffer overflow protection is expected to provide proactive protection against exploits of 13 out of 33 vulnerabilities this month.
  • McAfee Host Intrusion Prevention is expected to provide protection against exploits of 24 out of 33 vulnerabilities this month.
  • McAfee Application Control is expected to provide protection against exploits of 22 out of 33 vulnerabilities this month.
  • McAfee’s Network Security Platform has new signatures confirmed to protect exploits of 7 out of 33 vulnerabilities this month.
  • McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.

Aggregate coverage (combining host and network-based countermeasure together) is 26 out of 33.  In particular, coverage for the most critical IE vulns is excellent across the board.  Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in.  As more details become available, you’ll find them on the McAfee Threat Center.  You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.

Happy patching!

Leave a Comment

three × one =