Microsoft Security Bulletin Summary for March 2013

Number: AV13-014
Date: 12 March 2013

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary for March. The summary covers 7 bulletins (4 Critical and 3 Important), which address multiple vulnerabilities in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:

MS13-021 - Cumulative Security Update for Internet Explorer (2809289)
Details: The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.
The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not applicable
Affected Products: Internet Explorer 6, 7, 8, 9 and 10
CVE References: CVE-2013-0087, CVE-2013-0088, CVE-2013-0089, CVE-2013-0090, CVE-2013-0091, CVE-2013-0092, CVE-2013-0093, CVE-2013-0094
https://technet.microsoft.com/en-ca/security/bulletin/ms13-021

MS13-022 - Vulnerability in Silverlight Could Allow Remote Code Execution (2814124)
Details: The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements.
The security update addresses this vulnerability by correcting how Microsoft Silverlight checks memory pointers when rendering HTML objects.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Not applicable
Affected Products: Microsoft Silverlight 5
CVE References: CVE-2013-0074
https://technet.microsoft.com/en-ca/security/bulletin/ms13-022

MS13-023 - Vulnerability in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2801261)
Details: The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.
The security update addresses the vulnerability by modifying the way that Microsoft Visio Viewer allocates memory when parsing specially crafted Visio files.
Maximum Security Impact: Remote Code Execution
Aggregate Severity Rating: Critical
Maximum Exploitability Index:  2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index: Not applicable
Affected Products: Microsoft Visio Viewer 2010 Service Pack 1 (32-bit Edition), Microsoft Visio Viewer 2010 Service Pack 1 (64-bit Edition)
CVE References: CVE-2013-0079
https://technet.microsoft.com/en-ca/security/bulletin/ms13-023

MS13-024 - Vulnerabilities in SharePoint Could Allow Elevation of Privilege (2780176)
Details: The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes the user to a targeted SharePoint site.
The security update addresses the vulnerabilities correcting the way that Microsoft SharePoint Server validates URLs and user input.
Maximum Security Impact: Elevation of Privilege
Aggregate Severity Rating: Critical
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Temporary
Affected Products: Microsoft SharePoint Server 2010 Service Pack 1, Microsoft SharePoint Foundation 2010 Service Pack 1
CVE References: CVE-2013-0080, CVE-2013-0083, CVE-2013-0084, CVE-2013-0085
https://technet.microsoft.com/en-ca/security/bulletin/ms13-024

MS13-025 - Vulnerability in Microsoft OneNote Could Allow Information Disclosure (2816264)
Details: The vulnerability could allow information disclosure if an attacker convinces a user to open a specially crafted OneNote file.
The security update addresses the vulnerability by modifying how Microsoft OneNote checks the size of a buffer to be allocated.
Maximum Security Impact: Information Disclosure
Aggregate Severity Rating: Important
Maximum Exploitability Index:  3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index: Not applicable
Affected Products: Microsoft OneNote 2010 Service Pack 1 (32-bit editions), Microsoft OneNote 2010 Service Pack 1 (64-bit editions)
CVE References: CVE-2013-0086
https://technet.microsoft.com/en-ca/security/bulletin/ms13-025

MS13-026 - Vulnerability in Office Outlook for Mac Could Allow Information Disclosure (2813682)
Details: The vulnerability could allow information disclosure if a user opens a specially crafted email message.
The security update addresses the vulnerability by helping to ensure that Microsoft Outlook for Mac does not download content from external sources without user consent.
Maximum Security Impact: Information Disclosure
Aggregate Severity Rating: Important
Maximum Exploitability Index:  3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index: Not applicable
Affected Products: Microsoft Office 2008 for Mac, Microsoft Office for Mac 2011
CVE References: CVE- 2013-0095
https://technet.microsoft.com/en-ca/security/bulletin/ms13-026

MS13-027 - Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986)
Details: These vulnerabilities could allow elevation of privilege if an attacker gains access to a system.
The security update addresses the vulnerabilities by by correcting the way that a Windows kernel-mode driver handles objects in memory.
Maximum Security Impact: Elevation of Privilege
Aggregate Severity Rating: Important
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index: Permanent
Affected Products: Windows XP Service Pack 3 ,Windows XP Professional x64 Edition Service Pack 2 ,Windows Server 2003 Service Pack 2 ,Windows Server 2003 x64 Edition Service Pack 2 ,Windows Server 2003 with SP2 for Itanium-based Systems ,Windows Vista Service Pack 2 ,Windows Vista x64 Edition Service Pack 2 ,Windows Server 2008 for 32-bit Systems Service Pack 2 ,Windows Server 2008 for x64-based Systems Service Pack 2 ,Windows Server 2008 for Itanium-based Systems Service Pack 2 ,Windows 7 for 32-bit Systems ,Windows 7 for 32-bit Systems Service Pack 1 ,Windows 7 for x64-based Systems ,Windows 7 for x64-based Systems Service Pack 1 ,Windows Server 2008 R2 for x64-based Systems ,Windows Server 2008 R2 for x64-based Systems Service Pack 1 ,Windows Server 2008 R2 for Itanium-based Systems ,Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 ,Windows 8 for 32-bit Systems ,Windows 8 for 64-bit Systems ,Windows Server 2012 ,Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) ,Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) ,Windows Server 2008 R2 for x64-based Systems (Server Core installation) ,Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) ,Windows Server 2012 (Server Core installation)
CVE References: CVE-2013-1285, CVE-2013-1286, CVE-2013-1287
https://technet.microsoft.com/en-ca/security/bulletin/ms13-027

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

Microsoft has published a risk matrix table to assist organizations in evaluating and prioritizing deployment of these security updates. This table is available at the following URL:
http://blogs.technet.com/b/msrc/archive/2013/03/12/evolving-response-and-the-march-2013-bulletin-release.aspx

References:
http://technet.microsoft.com/en-ca/security/bulletin/ms13-mar

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: