There’s a remotely exploitable, publicly disclosed, critical remote code execution vulnerability in Microsoft Exchange (MS13-061)! But wait, is it really remotely exploitable? Well, not in the sense that user interaction is not required, it’s a parser issue that is only triggered by a user opening a malicious message in Outlook Web Access (OWA).
Okay, but it’s still publicly disclosed right? I mean this is out there? The bad guys have it, right? Well, not exactly. It’s public in the sense that this vulnerability is in a third party component (Oracle’s to be precise) which has already been patched by the “upstream” vendor. There have been no reports of active exploitation in the wild.
Well fine then. It’s still MS Exchange right? Yes, sure, it is still an Exchange issue and odds are you have that in your organization. You might even have some people who routinely use OWA. You should patch this in your next maintenance window.
Also important, critical even, in this month’s collection is the mandatory IE patch rollup (MS13-059), featuring a fix for one of the 2013 pwn2own winners. That’s only a 5 month turnaround for a fix, fast by MS standards. The other critical this month is MS13-060 which is a flaw in Unicode text parsing. A user would have to be induced to open a malicious file and this only affects Windows XP and 2003. Both of these issues should be patched ASAP.
Perhaps the most genuinely interesting vulnerability this month is MS13-062 which is reported as an Elevation of Privilege because it’s a post authentication issue in RPC. Microsoft has described this as extremely difficult to exploit, which I can only assume is a challenge to exploit writers everywhere to prove them wrong.
There’s also a mixed bag of privilege elevation and denial of service issues, and one information disclosure. You shouldn’t ignore these, but don’t lose additional sleep over them. MS13-064 only affects Server 2012 performing NAT, and is limited to exploitation from the local network, but is a persistent DoS (server restart required to clear). If you’re in the business of securing networks and those are your biggest concerns, then you are doing far better than most… Assuming you have confidence that Microsoft has the best exploit writers in the world and no one out there can figure out how to turn that DoS into code execution.
Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.