Microsoft Security Bulletin Summary for May 2013

Number: AV13-020
Date: 14 May 2013

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary for May. The summary covers 10 bulletins (2 Critical and 8 Important), which address multiple vulnerabilities, including the recently exploited CVE-2013-1347, in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:

MS13-037 - Cumulative Security Update for Internet Explorer (2829530)
Details:   The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.
The security update addresses the vulnerabilities by modifying the way that Internet Explorer authorizes script access to data and handles objects in memory.
Maximum Security Impact:  Remote Code Execution
Aggregate Severity Rating:   Critical
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index:  Temporary
Affected Products:   Internet Explorer 6, 7, 8, 9 and 10
CVE References:  CVE-2013-0811, CVE-2013-1297, CVE-2013-1306, CVE-2013-1307, CVE-2013-1308, CVE-2013-1309, CVE-2013-1310, CVE-2013-1311, CVE-2013-1312, CVE-2013-1313, CVE-2013-2551
https://technet.microsoft.com/en-ca/security/bulletin/ms13-037

MS13-038 - Security Update for Internet Explorer (2847204)
Details:  The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
The security update addresses the vulnerability by modifying the way that Internet Explorer handles objects in memory.
Maximum Security Impact:  Remote Code Execution
Aggregate Severity Rating:   Critical
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index:  Not applicable
Affected Products:   Internet Explorer 8 and 9
CVE References:  CVE-2013-1347
https://technet.microsoft.com/en-ca/security/bulletin/ms13-038

MS13-039 - Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
Details:  The vulnerability could allow denial of service if an attacker sends a specially crafted HTTP packet to an affected Windows server or client.
The security update addresses the vulnerability by correcting the way that HTTP.sys handles certain HTTP headers.
Maximum Security Impact:  Denial of Service
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index:  Permanent
Affected Products:   Windows 8 for 32-bit Systems, Windows 8 for 64-bit Systems, Windows Server 2012, Windows RT, Windows Server 2012 (Server Core installation)
CVE References:  CVE-2013-1305
https://technet.microsoft.com/en-ca/security/bulletin/ms13-039

MS13-040 - Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
Details:  The more severe of the vulnerabilities could allow spoofing if a .NET application receives a specially crafted XML file. An attacker who successfully exploited the vulnerabilities could modify the contents of an XML file without invalidating the file's signature and could gain access to endpoint functions as if they were an authenticated user.
The security update addresses the vulnerability by modifying how the .NET Framework validates the signatures in XML files and correcting the way it creates policy requirements for authentication.
Maximum Security Impact:  Spoofing
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  Not applicable
Maximum Denial of Service Exploitability Index:  Not applicable
Affected Products:   Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4, Microsoft .NET Framework 4.5
CVE References:  CVE-2013-1336, CVE-2013-1337
https://technet.microsoft.com/en-ca/security/bulletin/ms13-040

MS13-041 - Vulnerability in Lync Could Allow Remote Code Execution (2834695)
Details:  The vulnerability could allow remote code execution if an attacker shares specially crafted content, such as a file or program, as a presentation in Lync or Communicator and then convinces a user to accept an invitation to view or share the presentable content. In all cases, an attacker would have no way to force users to view or share the attacker-controlled file or program.
The security update addresses the vulnerability by modifying the way that the Lync and Communicator clients handle objects in memory.
Maximum Security Impact:  Remote Code Execution
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index:  Not applicable
Affected Products:   Microsoft Communicator 2007 R2, Microsoft Lync 2010 (32-bit), Microsoft Lync 2010 (64-bit), Microsoft Lync 2010 Attendee(admin level install), Microsoft Lync 2010 Attendee(user level install), Microsoft Lync Server 2013 (Web Components Server)
CVE References:  CVE-2013-1302
https://technet.microsoft.com/en-ca/security/bulletin/ms13-041

MS13-042 - Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)
Details:  The vulnerabilities could allow remote code execution if a user open a specially crafted Publisher file with an affected version of Microsoft Publisher. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.
The security update addresses the vulnerabilities by correcting how Microsoft Publisher parses specially crafted Publisher files.
Maximum Security Impact:  Remote Code Execution
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index:;  Not applicable
Affected Products:   Microsoft Publisher 2003 Service Pack 3, Microsoft Publisher 2007 Service Pack 3, Microsoft Publisher 2010 Service Pack 1 (32-bit editions), Microsoft Publisher 2010 Service Pack 1 (64-bit editions)
CVE References:  CVE-2013-1316, CVE-2013-1317, CVE-2013-1318, CVE-2013-1319, CVE-2013-1320, CVE-2013-1321, CVE-2013-1322, CVE-2013-1323, CVE-2013-1327, CVE-2013-1328, CVE-2013-1329
https://technet.microsoft.com/en-ca/security/bulletin/ms13-042

MS13-043 - Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)
Details:  The vulnerability could allow remote code execution if a user opens a specially crafted file or previews a specially crafted email message in an affected version of Microsoft Office software. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
The security update addresses the vulnerability by correcting the way that Microsoft Word parses specially crafted Office files.
Maximum Security Impact:  Remote Code Execution
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index:;  Not applicable
Affected Products:   Microsoft Word 2003 Service Pack 3, Microsoft Word Viewer
CVE References:  CVE-2013-1335
https://technet.microsoft.com/en-ca/security/bulletin/ms13-043

MS13-044 - Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)
Details:  The vulnerability could allow information disclosure if a user opens a specially crafted Visio file. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly, but it could be used to produce information that could be used to try to further compromise an affected system.
The security update addresses the vulnerability by correcting the manner in which the XML parser used by Visio resolves external entities within a specially crafted file.
Maximum Security Impact:  Information Disclosure
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index:;  Not applicable
Affected Products:   Microsoft Visio 2003 Service Pack 3, Microsoft Visio 2007 Service Pack 3, Microsoft Visio 2010 Service Pack 1 (32-bit editions), Microsoft Visio 2010 Service Pack 1 (64-bit editions)
CVE References:  CVE-2013-1301
https://technet.microsoft.com/en-ca/security/bulletin/ms13-044

MS13-045 - Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)
Details:  The vulnerability could allow information disclosure if a user opens Windows Writer using a specially crafted URL. An attacker who successfully exploited the vulnerability could override Windows Writer proxy settings and overwrite files accessible to the user on the target system. In a web-based attack scenario, a website could contain a specially crafted link that is used to exploit this vulnerability.
The security update addresses the vulnerability by correcting the way Windows Writer handles URL parameters.
Maximum Security Impact:  Information Disclosure
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index:;  Not applicable
Affected Products:   Windows Essentials 2011, Windows Essentials 2012
CVE References:  CVE-2013-0096
https://technet.microsoft.com/en-ca/security/bulletin/ms13-045

MS13-046 - Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)
Details:  The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
The security update addresses the vulnerabilities by correcting the way that Windows handles objects in memory.
Maximum Security Impact:  Elevation of Privilege
Aggregate Severity Rating:   Important
Maximum Exploitability Index:  1 - Exploit code likely
Maximum Denial of Service Exploitability Index:;  Permanent
Affected Products:   Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista Service Pack 2, Windows Vista x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2, Windows Server 2008 for x64-based Systems Service Pack 2, Windows Server 2008 for Itanium-based
Systems Service Pack 2, Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for Itanium-based Systems Service Pack 1, Windows 8 for 32-bit Systems, Windows 8 for 64-bit Systems, Windows Server 2012, Windows RT, Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation), Windows Server 2008 for x64-based Systems Service Pack
2 (Server Core installation), Windows Server 2008 R2 for x64-based Systems (Server Core installation), Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), Windows Server 2012 (Server Core installation)
CVE References:  CVE-2013-1332, CVE-2013-1333, CVE-2013-1334
https://technet.microsoft.com/en-ca/security/bulletin/ms13-046

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:
https://technet.microsoft.com/en-ca/security/bulletin/ms13-may

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: