January 2013 Microsoft Security Bulletins

Microsoft starts the new year with a January Security Bulletin Release of seven Security Bulletins. These seven bulletins cover at least 11 CVE. Three of the vulnerabilities need to be addressed immediately with two of the Bulletins. These three vulnerabilities effect XML Core Service components (MS13-001) that can be abused using Internet Explorer as a vector of attack, and a Print Spooler component (MS13-002) that could be abused once an attacker has infiltrated a network, as described in this Microsoft SRD post. This flaw is important to address for organizations that are victims of targeted attacks. Now that Pass-the-Hash techniques are becoming better understood and mitigated, attackers will look to lateral movement alternatives like these. So, while it’s doubtful that we would see a fast-spreading worm resulting from this one, but as with Ramnit, it’s important for small and medium businesses to understand what ports and services are exposed to the internet and avoid becoming a victim. Either way, these two Bulletins should be addressed immediately.

It’s interesting to note that Microsoft is attending to these vulnerabilities, even though they are not yet being publicly exploited according to the company.

Other Bulletins this month patch SCOM components, .NET, and OData Services, as well as a Windows kernel EoP effecting all versions of Windows and an interesting SSL bypass. SCOM is interesting because it is the Microsoft Security Center Operations Manager, and the patch isn’t available as it isn’t fully tested just yet. On one hand, Microsoft’s testing capabilities are unbelieveably complex and thorough, so it’s a surprise that this release isn’t delivered alongside the others. On the other hand, it’s an XSS vulnerability that would require some unusual scenarios to exploit, and the Internet Explorer XSS filter can be enable to mitigate the issue. So this one is a bit obscure to be widely hit. The .NET vulnerability set is a bit more dangerous, because these vulnerabilities can be exploited in combination via web browsers. These vulnerabilities effect versions 1.1 through 4.5 of the Microsoft .NET framework on all versions of Windows, including Windows Server 2012. And finally, OData (Open Data Protocol) services components support fairly newer network exchange protocols used in business and other backend applications as a part of the Windows Communication Framework Data Services. These services are simply available to a denial of service attack.

Finally, Microsoft is also patching a vulnerability affecting the integrity of SSL use. In today’s world of beat-up Certificate Authorities and ongoing cyber espionage, this one is interesting because it enables attackers to force a client system to use SSL version 2 instead of SSL version 3 or TLS, removing many of the newer, necessary security features supported in version 3/TLS that mitigate the weak encryption ciphers supported by v2. In other words, the vulnerability helps enable MiTM attackers to sniff traffic that was previously, reasonably, considered “safe” by its users. This patch follows up on the fix for the TURKTRUST related fraudulent certificate fix released a few days ago. It affects all versions of Windows, including Windows RT.

January 2013 Microsoft Security Bulletins

Your email address will not be published. Required fields are marked *



Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox