Welcome to Patch Tuesday, April 2013. Today Microsoft released 9 patches, covering a total of 14 individual vulnerabilities. Two of the patches are identified by Microsoft as critical, addressing issues in Internet Explorer and Remote Desktop Client. The remaining 7 patches address lower-severity DoS, Information Disclosure, and Privilege Escalation vulnerabilities, and are classified by Microsoft as Important. This month’s patches include the following:
- (MS13-028) Cumulative Security Update for Internet Explorer (2817183)
- (MS13-029) Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223)
- (MS13-030) Vulnerability in SharePoint Could Allow Information Disclosure (2827663)
- (MS13-031) Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170)
- (MS13-032) Vulnerability in Active Directory Could Lead to Denial of Service (2830914)
- (MS13-033) Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917)
- (MS13-034) Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482)
- (MS13-035) Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818)
- (MS13-036) Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996)
Amidst this month’s regular patches, Microsoft also this week officially announced End-of-Life for Windows XP. The last batch of patches for Windows XP will be released 1 year from now, on April 8, 2014. This venerable operating system has served us pretty well since 2001, and I must admit I still prefer it when I’m in the mood to just get things done. Maybe that’s because it’s unencumbered by pesky security features like User Account Control, NTLM restrictions, a firewall that’s enabled by default, ASLR, and a host of other improvements that Microsoft has introduced over the last decade.
While today’s modern operating systems offer greater security and manageability, many enterprises still rely on XP as their primary desktop OS—XP still commands a 39% market share, according to NetMarketShare.
The world has a lot of work to do in the next 52 weeks! While we can expect a good number of these systems to be converted to Windows 7 and 8 over the coming months, many will remain in limbo after Microsoft pulls the support plug next April. No new patches will be released, but new vulnerabilities will be disclosed every month, and many of them can be expected to affect Windows XP. For systems running this orphaned OS, the best option will be an application whitelisting solution, such as McAfee Application Control. Application Whitelisting ensures that only trusted code runs on a host, and is a very effective tool for providing strong protection far into the future.
As for this month’s patches, the two critical patches are worth noting. MS13-028 addresses a pair of vulnerabilities in Internet Explorer 6-10. These are fairly typical use-after-free browser vulnerabilities, and allow an attacker to remotely execute arbitrary code as the logged on user if they can lure the user to a malicious web page. MS 13-029 addresses a vulnerability in the Remote Desktop ActiveX Control, which supports similar web-based attack vectors. None of these Remote Code Execution (RCE) vulns have been publically disclosed or seen to be exploited in the wild to date. Microsoft also notes one vuln (addressed by MS13-035) which has seen limited, targeted exploits in the wild.
McAfee’s coverage for this month’s vulnerabilities is as follows:
- McAfee VirusScan’s buffer overflow protection is expected to provide proactive protection against exploits of 4 out of 14 vulnerabilities this month. (MS13-028 x 2, -029, -033)
- McAfee Host Intrusion Prevention is expected to provide protection against exploits of 5 out of 14 vulnerabilities this month. (MS13-028 x 2, -029, -033, -034)
- McAfee’s Network Security Platform has new signatures confirmed to protect exploits of 2 out of 14 vulnerabilities this month. (MS13-029, -035)
- McAfee Application Control is expected to provide protection against exploits of 4 out of 14 vulnerabilities this month. (MS13-028 x 2, -029, -033)
- McAfee Vulnerability Manager and Policy Auditor will very shortly have content to assess whether your systems are exposed to any of these new vulnerabilities.
Aggregate coverage (combining host and network-based countermeasure together) is 6 out of 14. If we focus our attention on the critical RCE vulns (MS13-029 and -029), coverage is excellent, with broad coverage across the board. Additional research is being performed by McAfee Labs, and coverage may improve as additional results roll in. As more details become available, you’ll find them on the McAfee Threat Center. You might also be interested in subscribing to McAfee Labs Security Advisories, where you can get real-time updates via email.