Tuesday, July 9, 2013

Microsoft Update Tuesday: July 2013: an issue of TrueType fonts

This month's Update Tuesday looks pretty interesting. As usual, there's quite a few CVEs covered and most of them are once again in IE: there's a total of 7 bulletins, covering 34 CVE issues. However, one CVE is shared between 3 bulletins.

MS13-052 covers the .NET framework and Silverlight. There's a total of 7 CVEs fixed by the update associated with this bulletin. The bulletin is marked critical and could result in remote code execution or escalation of privileges if one of these vulnerabilities is exploited.

There's a total of 8 CVE isusues this month that pertain to the Windows Kernel, described in MS13-053. This bulletin is considered critical and can result in remote code execution, specifically due to vulnerability  related to TrueType fonts, which we discuss as part of MS13-054. Other vulnerabilities include a use-after-free and an overflow that can result in a potential escalation of privileges for an attacker.

One particularly interesting bug is described in MS13-054. While that bulletin specifically covers GDI+, the single CVE (CVE-2013-3129) associated with this bulletin is also shared by bulletins MS13-052 and MS13-053. This vulnerability is the result of a bug when handling maliciously crafted TrueType fonts.  The interesting part here is that a previous TrueType font issue was a 0-day exploited by the Duqu malware. Because TrueType fonts can exploited via a malicious Word document (or anything that can embed TrueType fonts - like Silverlight), this means that the issue can result in remote code execution.

MS13-055 is the bulletin that deals with IE. This one covers all supported versions of Internet Explorer (i.e., IE6-IE10) and covers 17 CVE issues. The bulletin is rated critical and covers a number of issues, mostly resulting in memory corruption which could allow an attacker to execute arbitrary code. As with previous IE vulnerabilities, the memory corruption issues are mostly the result of use after free issues, where an attacker can potentially access an object after the memory for it has freed. This type of vulnerability can result in a kind of type confusion, where in one part of the program the memory is still considered to be a particular object, while in another part it may have been reallocated and used as a different object. It can then potentially corrupt sensitive information (like a pointer) in the new object, which could allow attackers to overwrite arbitrary memory locations.

Windows DirectShow is updated through bulletin MS13-056. It patches a vulnerability that can result in memory corruption and that is potentially exploitable on all supported Windows versions except RTE and Server Core.

There's also a bulletin covering Windows Media Format (WMF): MS13-057, this bulletin handles a single CVE issue related to a potential underflow vulnerability in a DLL when opening a malicious WMF file, potentiall resulting in remote code execution. The patch for this vulnerability modies the way in which Windows Media Player opens media files.

Finally, the last bulletin released this month covers Windows Defender (MS13-058). This is the only bulletin marked as important: all the rest were considered critical. The bulletin is made up of a single CVE issue, that can result in a local vulnerability, potentially allowing an attacker to gain increased privileges.

We have detection for many of these vulnerabilities through SIDs: 27126-27139, 27147-27154, 27156-27157.


No comments:

Post a Comment