Microsoft March 2013 security bulletins are bringing us a slightly lighter-than-usual patching load and, perhaps, a slightly muted patching urgency compared to recent months. There are seven advisories, though they cover 20+ unique vulnerabilities. Four of the advisories are listed as “Critical”, but only the first one which applies to all supported versions of Internet Explorer (6-10) seems likely to be an immediate threat to the average user.
The IE advisory (MS13-021) contains 9 distinct CVEs, all are use-after-free type exploits and all were reported to Microsoft through coordinated disclosure. At this time they are not known to be actively exploited “in the wild”. This bulletin does not apply to IE 10 on Windows 7 as the fixes were included when that was released earlier this month, yet another reason to stay on the latest version. Regardless, this is where I would prioritize my patching efforts.
From this vantage, my gut feel is that MS13-023, which affects the Visio 2010 viewer and is listed as critical allowing remote code execution is the second most important to patch, followed by either of the two other Critical issues (MS13-022 & MS13-024). The Visio vulnerability requires that the Visio Viewer ActiveX controller be installed for successful exploit, so a mitigation would be to disable that feature.
Also, MS13-024, the SharePoint vulnerability is only an “elevation of privilege” vulnerability, however, it’s listed as critical. The vulnerability is an injection attack which could allow for credential theft and re-use.
MS13-022 is listed as critical in MS Silverlight, which is interesting since I wasn’t aware that anyone in the world had actually deployed Silverlight. If for some reason you have it in your environment, you probably want to patch this quickly since the risk would be on par with a Flash vulnerability. Apparently this vulnerability applies to all versions of Silverlight, but the patch is only for Silverlight 5, so if you are on an older version of Silverlight you are vulnerable to this and may *not* be automatically prompted to update. This is another one of those vulnerabilities that will keep popping up for months if not years in Silverlight using environments. If this is you, you need to get your users to Silverlight 5 to be protected. Older versions are no longer supported by Microsoft.
MS13-025, which applies to OneNote, will allow an attacker to read OneNote files and folders, even bypassing OneNote’s password protection and encryption tools, but requires an attacker to trick the user into opening a malicious OneNote file or folder, for example by sending it as an email attachment.
MS13-026 which applies to Outlook for Mac will not require a restart. This vulnerability would allow a sender to determine if an email address is live, which would help them target you or your organization with spam or phishing attacks.
These information disclosure issues in Office (MS13-025 & MS13-026) I would patch when it isn’t going to impact your users in any way. Ideally, a reasonably secure enterprise will have countermeasures in place which would drastically mitigate the risk of successful exploitation of either of these vulnerabilities.
MS13-027, as expected, is another kernel mode driver vulnerability giving elevation of privilege, same as last month, same as the month before, right? Well, not exactly. This one is in the USB device driver which provides device description services. When a USB device is connected this runs immediately to identify the device, so physical access is required to exploit it, however this can be exploited even if the system is locked. So a password protected screensaver is not a mitigation. If you recall the (deprecated) “autorun” feature, which you could turn off… this runs before that would even have been accessed. On the plus side, there is no remote vector. It doesn't affect terminal services or virtualized environments.
The focus has changed direction from last month, where Office wasn’t addressed, to four of seven advisories this month relating to Office. All advisories this month come from responsible, coordinated disclosure and known are known to be the subject of active exploitation.