March 2013 Microsoft Security Bulletins – Low Impact from Pwn2Own, Watch USB Drives for Another Stuxnet

Microsoft releases nine March Security Bulletins. Four of the Bulletins are rated critical, but of the 20 vulnerabilities being patched, 12 are rated critical and enable remote code execution and elevation of privilege. Microsoft software being patched with critical priority include Internet Explorer, Silverlight, Visio Viewer, and SharePoint. So, pretty much everyone running Windows, and lots of Microsoft shops, should be diligently patching systems today.

Pwn2own attracted top offensive security talent to Cansecwest and awarded a half million in prizes for fresh 0day this year, but the event didn’t force much Microsoft fix development for this Bulletin release. Adobe, Java, Firefox and Chrome were all hit this year along with two Internet Explorer 10 0day for full compromise on Windows 8 on a Windows Surface Pro tablet.

Instead, MS013-021 is one giant “Internet Explorer Use-After-Free patch”, addressing the longest list of Use-after-free vulnerabilities in a monthly update to date. Knowing that only one of these vulnerabilities was disclosed publicly, it almost looks as though they fixed a fuzzer in their own labs or someone stepped up development of their own.

MS013-022 addresses a memory pointer check in Silverlight component HTML rendering – an unusual problem known as “double de-referencing”. The interesting thing here is that this client side RCE enables exploit across not only all of its supported Windows systems, but across Apple’s Mac OS X systems. In the light of OS X mass exploitation this past year and the recent slew of OS X-enabled targeted attacks, this patch is important to folks lugging around systems running OS X.
Microsoft recommends that EMET helps mitigate both the Internet Explorer and the Silverlight issues.
On the server side, altogether different from the client side memory corruption issues above, we see a web service vulnerability. Sharepoint is pretty widely distributed in organizations. The eye popper here includes an EoP enabled by an XSS flaw that provides remote users with a method to issue Sharepoint commands in the context of an administrative user on the site. These Sharepoint flaws were all privately reported by an outside researcher, but no public disclosure is known. At the same time, a denial of service and buffer overflow issue is being addressed in the Sharepoint code.

MS012-023 addresses vulnerable code in Visio, but the code also is delivered in components within Microsoft Office. The odd thing is that there is no know code path traversal that accesses the vulnerable code within Microsoft Office. And, Microsoft maintains four or five versions of Visio Viewer, a widely used piece of software for organizations to distribute diagrams and charts of all types. However, this vulnerability only affects one version – Microsoft Visio Viewer 2010. Nonetheless, Microsoft is leaning towards addressing any and all security issues (including unknown future issues), and patching the code everywhere it resides, whether or not it is accessed by Office.

Of the lesser rated vulnerabilities, the kernel mode USB descriptor issue seems the most interesting. And yes, the title of this post is out-of proportion and fairly ridiculous. I don’t expect another Stuxnet to rise up simply because of this vulnerability. But, in a flashback to Stuxnet exploit vectors, it provides another vector of delivery for arbitrary code to be executed in kernel mode simply by inserting a USB device into a system.

To clarify, the danger here does not lie in the immediate potential for another Stuxnet. The immediate danger lies in the availability of attack surface demonstrated by Stuxnet to enable highly secured, air gapped industrial environments to be infiltrated with Pearl Harbor style surprise and effectiveness.