Light, but Important Patch Tuesday

Wednesday, June 12, 2013 @ 01:06 PM gHale

Microsoft took advantage of a light Patch Tuesday by releasing an update to its certificate handling infrastructure.

Building on features native to Windows 8 that automatically move untrusted or compromised certificates to the Windows Certificate Trust List, Microsoft has enhancements that give enterprises additional options when managing PKI installations.

Timely Patch: Microsoft Closes Holes
Microsoft Offers Fix for IE 8 Bug
IE8 Exploit Already Available
Zero Day: IE 8 Falls Victim

The update allows for computers on the same Active Directory domain to auto-update certificate lists without having to access Windows Update; they can also end up configured to opt-in to auto-update for trusted and disallowed certificates. In addition, administrators will be able to choose a subset of roots for distribution via Group Policy.

Auto-update came into play one year ago, said Dustin Childs, group manager, Trustworthy Computing; it is available starting with Windows Vista through Windows 8, Windows Server 2012 and Windows RT.

“Over the coming months, we’ll be rolling out additional updates to this advisory — all aimed at bolstering Windows’ cryptography and certificate-handling infrastructure,” Childs said. “Our efforts here aren’t in response to any specific incident; it’s the continuing evolution of how we handle digital certificates to ensure the safest possible computing environment for our customers.”

On Patch Tuesday, Microsoft issued five bulletins, including another cumulative update for Internet Explorer that patches 19 vulnerabilities, all critical remote-code execution flaws. Another remote execution bug in Office released, but it did not rate as critical despite Microsoft being aware of limited targeted attacks exploiting the vulnerability.

Meanwhile, administrators looking for a patch for vulnerability disclosed by Google engineer Tavis Ormandy will have to wait at least another month for an update.

The Ormandy issue, meanwhile, dates back to May 17 when he posted a note to the Full Disclosure mailing list he had found an elevation of privilege vulnerability locally in the Windows kernel and was soliciting help in developing an exploit, which he said he developed three days later.

The IE update is the lone critical bulletin for June. MS13-047 affects IE 6-10 and in 18 of the 19 vulnerabilities, remote code execution is possible because of the way IE handles objects in memory. The remaining flaw, a Script Debug vulnerability, happens because IE improperly processes script while debugging a webpage leading to memory corruption that could allow an attacker to run code remotely once a user visits a site hosting an exploit.

The Office vulnerability, MS13-051, also enables remote code execution but it does not rate as critical because it affects only Office 2003 Service Pack 3 and Microsoft Office for Mac 2011. Users would have to open a malicious Office document or view a malicious email in Outlook in order to suffer from the exploit, Microsoft said. Attackers taking advantage of the buffer overflow vulnerability would be able to install malware, change or delete data, and add accounts with full privileges.

The remainder of the bulletins rated important and include a pair kernel vulnerabilities.
• MS13-048 is an information-disclosure vulnerability in Windows kernel and requires local access to a computer and execution of a malicious application. An attacker would need valid credentials to exploit this flaw, Microsoft said.
• MS13-049 is a denial of service vulnerability in Windows Kernel-Mode Driver. An attacker would have to send specially crafted packets to a server to cause it to crash. Microsoft said standard default firewall configurations should help mitigate potential attacks.
• MS13-050 is a privilege escalation bug in Windows Print Spooler components. An attacker would need valid credentials and be logged on to exploit this bug.

Leave a Reply

You must be logged in to post a comment.