Microsoft July 2013 Black Tuesday Overview

Published: 2013-07-09
Last Updated: 2013-07-09 20:22:48 UTC
by Swa Frantzen (Version: 2)
5 comment(s)

Overview of the July 2013 Microsoft patches and their status.

# Affected Contra Indications - KB Known Exploits Microsoft rating(**) ISC rating(*)
clients servers
MS13-052 Multiple vulnerabilities allow privilege escalation and/or remote code execution. 
.NET & silverlight

CVE-2013-3129
CVE-2013-3131
CVE-2013-3132
CVE-2013-3133
CVE-2013-3134
CVE-2013-3171
CVE-2013-3178
KB 2861561 Microsoft claims CVE-2013-3131 and CVE-2013-3134 have been publicly disclosed. Severity:Critical
Exploitability:1
Critical Important
MS13-053 Multiple vulnerabilities allow privelege escalation and/or remote code execution.
kernel mode drivers (KMD)

CVE-2013-1300
CVE-2013-1340
CVE-2013-1345
CVE-2013-3129
CVE-2013-3167
CVE-2013-3172
CVE-2013-3173
CVE-2013-3660
KB 2850851 Microsoft claims CVE-2013-3172 and CVE-2013-3660 have been publicly disclosed. Moreover they claim to be aware of "targeted" attacks exploiting CVE-2013-3660. Severity:Critical
Exploitability:1
PATCH NOW Important
MS13-054 A truetype font parsing issue in the GDI+ library allows remote code execution. This affects a wide selection of sofware and extra care should be given to make sure to patch all instances.
GDI+

CVE-2013-3129
KB 2848295 No publicly known exploits. Severity:Critical
Exploitability:1
Critical Important
MS13-055 A multitude of vulnerabilities are fixed in this month's IE cumulative patch, you want this one. All but one are memory corruption vulnerabilities.
MSIE

CVE-2013-3115
CVE-2013-3143
CVE-2013-3144
CVE-2013-3145
CVE-2013-3146
CVE-2013-3147
CVE-2013-3148
CVE-2013-3149
CVE-2013-3150
CVE-2013-3151
CVE-2013-3152
CVE-2013-3153
CVE-2013-3161
CVE-2013-3162
CVE-2013-3163
CVE-2013-3164
CVE-2013-3166
KB 2846071 No publicly known exploits Severity:Critical
Exploitability:1
Critical Important
MS13-056 An input validation problem in how directShow handles GIF file allows random code execution.
DirectShow

CVE-2013-3174
KB 2845187 No publicly known exploits Severity:Critical
Exploitability:1
Critical Important
MS13-057 An input validation problem in windows media format (WMV - windows media player, not to be confused with the infamous WMF format) allows random code execution.
Media Player

CVE-2013-3127
KB 2847883 No publicly known exploits Severity:Critical
Exploitability:2
Critical Important
MS13-058 An unquoted path vulnerability (see more on what this is in Mark Bagget's excellent diary on the unquoted path issues) in windows defender allows privilege esclation to the localsystem account.
Windows defender

CVE-2013-3154
KB 2847927 No publicly known exploits Severity:Important
Exploitability:1
Important Important
We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY
(*): ISC rating
  • We use 4 levels:
    • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
    • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
    • Important: Things where more testing and other measures can help.
    • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
  • The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
  • The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
  • Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
  • All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

(**): The exploitability rating we show is the worst of them all due to the too large number of ratings Microsoft assigns to some of the patches.

--
Swa Frantzen

5 comment(s)

Comments

Hello Swa,

Thank you for the succinct Patch Tuesday updates. I have two comments:

1. It may be important to point out that exploitation on CVE-2013-3660 under MS13-053 was focused on elevation of privilege and not remote code execution. This may impact the severity rating.

2. for MS13-057 and MS13-058, the CVEs referenced in the SANS write-up above are transposed. The correct CVEs are: CVE-2013-3127 for MS13-057 and CVE-2013-3154 for MS13-058.

Regards,

--Brian
Brain
thanks for noticing the typo's - fixed.

As to MS013-053: we did note the more limited capability of the currently used exploit against CVE-2013-3660. But with that kind of attention it's both quite unwise not to patch this, and moreover people usually underestimate the impact of a privilege escalation vulnerability (see here: https://isc.sans.edu/diary/15863 )
Agreed! Thank you for responding/resolving so quickly. :)
Microsoft says they are aware of Bulletin MS13-055 of targeted attacks attempting to exploit the vulnerability described in CVE-2013-3163 through Internet Explorer 8...
MS13-057/KB 2803821/KB 2834904 appear to be causing some issues: http://images.infoworld.com/t/microsoft-windows/another-botched-windows-patch-ms13-057kb-2803821kb-2834904-222636

Diary Archives