Microsoft Security Bulletin Summary for August 2013

Number: AV13-029
Date: 13 August 2013

Purpose

The purpose of this advisory is to bring attention to the monthly Microsoft Security Bulletin Summary for August. The summary covers 8 bulletins (3 Critical and 5 Important), which address multiple vulnerabilities in some Microsoft products.

Assessment

Microsoft has released the following security bulletins:

MS13-059 - Cumulative Security Update for Internet Explorer (2862772)
Details:              The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.
The security update addresses the vulnerabilities by modifying the way that Internet Explorer handles objects in memory.
Maximum Security Impact:        Remote Code Execution
Aggregate Severity Rating:         Critical
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index:             Not applicable
Affected Products:         Internet Explorer 6, 7, 8, 9 and 10
CVE References:             CVE-2013-3184, CVE-2013-3186, CVE-2013-3187, CVE-2013-3188, CVE-2013-3189, CVE-2013-3190, CVE-2013-3191, CVE-2013-3192, CVE-2013-3193, CVE-2013-3194, CVE-2013-3199
https://technet.microsoft.com/en-ca/security/bulletin/ms13-059

MS13-060 - Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)
Details:              The vulnerability could allow remote code execution if a user viewed a specially crafted document or webpage with an application that supports embedded OpenType fonts. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user.
The security update addresses the vulnerability by correcting the way that Microsoft Windows parses specific characteristics of OpenType fonts.
Maximum Security Impact:        Remote Code Execution
Aggregate Severity Rating:         Critical
Maximum Exploitability Index: 2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index:             Not applicable
Affected Products:         Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems
CVE References:             CVE-2013-3181
https://technet.microsoft.com/en-ca/security/bulletin/ms13-060

MS13-061- Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)
Details:              The vulnerabilities exist in the WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA).
The security update addresses the vulnerabilities by updating the affected Oracle Outside In libraries to a non-vulnerable version.
Maximum Security Impact:        Remote Code Execution
Aggregate Severity Rating:         Critical
Maximum Exploitability Index: 2 - Exploit code would be difficult to build
Maximum Denial of Service Exploitability Index:             Permanent
Affected Products:         Microsoft Exchange Server 2007 Service Pack 3, Microsoft Exchange Server 2010 Service Pack 2, Microsoft Exchange Server 2010 Service Pack 3, Microsoft Exchange Server 2013 Cumulative Update 1, Microsoft Exchange Server 2013 Cumulative Update 2
CVE References:             CVE-2013-2393, CVE-2013-3776, CVE-2013-3781
https://technet.microsoft.com/en-ca/security/bulletin/ms13-061

MS13-062 - Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470)
Details:              The vulnerability could allow elevation of privilege if an attacker sends a specially crafted RPC request.
The security update addresses the vulnerability by correcting the way that Microsoft Windows handles asynchronous RPC messages.
Maximum Security Impact:        Elevation of Privilege
Aggregate Severity Rating:         Important
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index:             Not applicable
Affected Products:         Windows XP Service Pack 3, Windows XP Professional x64 Edition Service Pack 2, Windows Server 2003 Service Pack 2, Windows Server 2003 x64 Edition Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, Windows Vista Service Pack 2, Windows Vista x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2, Windows Server 2008 for x64-based Systems Service Pack 2, Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for Itanium-based Systems Service Pack 1, Windows 8 for 32-bit Systems, Windows 8 for 64-bit Systems, Windows Server 2012, Windows RT, Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation), Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation), Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), Windows Server 2012 (Server Core installation)
CVE References:             CVE-2013-3175
https://technet.microsoft.com/en-ca/security/bulletin/ms13-062

MS13-063 - Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537)
Details:              The most severe vulnerabilities could allow elevation of privilege if an attacker logged on locally and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
The security update addresses the vulnerabilities by changing how the Windows kernel validates memory address values and by modifying functionality to maintain the integrity of the Address Space Layout Randomization (ASLR).
Maximum Security Impact:        Elevation of Privilege
Aggregate Severity Rating:         Important
Maximum Exploitability Index: 1 - Exploit code likely
Maximum Denial of Service Exploitability Index:             Permanent
Affected Products:         Windows XP Service Pack 3, Windows Server 2003 Service Pack 2, Windows Vista Service Pack 2, Windows Vista x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2, Windows Server 2008 for x64-based Systems Service Pack 2, Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for Itanium-based Systems Service Pack 1, Windows 8 for 32-bit Systems, Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation), Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation), Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
CVE References:             CVE-2013-2556, CVE-2013-3196, CVE-2013-3197, CVE-2013-3198
https://technet.microsoft.com/en-ca/security/bulletin/ms13-063

MS13-064 - Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)
Details:              The vulnerability could allow denial of service if an attacker sends a specially crafted ICMP packet to a target server that is running the Windows NAT Driver service.
The security update addresses the vulnerability by correcting the way that Windows NAT Driver service validates memory addresses when handling specially crafted ICMP packets.
Maximum Security Impact:        Denial of Service
Aggregate Severity Rating:         Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index:             Permanent
Affected Products:         Windows Server 2012
CVE References:             CVE-2013-3182
https://technet.microsoft.com/en-ca/security/bulletin/ms13-064

MS13-065 - Vulnerability in ICMPv6 could allow Denial of Service (2868623)
Details:              The vulnerability could allow a denial of service if the attacker sends a specially crafted ICMP packet to the target system.
The security update addresses the vulnerability by correcting how the Windows TCP/IP stack allocates memory while processing specially crafted ICMPv6 packets.
Maximum Security Impact:        Denial of Service
Aggregate Severity Rating:         Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index:             Permanent
Affected Products:         Windows Vista Service Pack 2, Windows Vista x64 Edition Service Pack 2, Windows Server 2008 for 32-bit Systems Service Pack 2, Windows Server 2008 for x64-based Systems Service Pack 2, Windows Server 2008 for Itanium-based Systems Service Pack 2, Windows 7 for 32-bit Systems Service Pack 1, Windows 7 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for x64-based Systems Service Pack 1, Windows Server 2008 R2 for Itanium-based Systems Service Pack 1, Windows 8 for 32-bit Systems, Windows 8 for 64-bit Systems, Windows Server 2012, Windows RT, Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation), Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation), Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation), Windows Server 2012 (Server Core installation)
CVE References:             CVE-2013-3183
https://technet.microsoft.com/en-ca/security/bulletin/ms13-065

MS13-066 - Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)
Details:              The vulnerability could reveal information pertaining to the service account used by Active Directory Federation Services (AD FS). An attacker could then attempt logons from outside the corporate network, which would result in account lockout of the service account used by AD FS if an account lockout policy has been configured.
The security update addresses the vulnerability by ensuring that the endpoint does not disclose account information.
Maximum Security Impact:        Information Disclosure
Aggregate Severity Rating:         Important
Maximum Exploitability Index: 3 - Exploit code unlikely
Maximum Denial of Service Exploitability Index:             Temporary
Affected Products:         Active Directory Federation Services 1.x, Active Directory Federation Services 2.0, Active Directory Federation Services 2.1
CVE References:             CVE-2013-3185
https://technet.microsoft.com/en-ca/security/bulletin/ms13-066

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: