Microsoft Patches GDI+ Zero Day; Experts Urge Close Look at ‘Important’ ASLR Bypass Patch

While Microsoft patched five critical vulnerabilities today, including the GDI+ zero day, experts urge a close look at an “important” patch addressing an ASLR bypass.

One zero-day down, one to go.

As expected, Microsoft did today patch a zero-day in its GDI+ graphics component (MS13-096) reported more than a month ago after exploits were spotted in the wild. The fix was one of 11 security bulletins—five critical—released as part of the December 2013 Patch Tuesday security updates.

Another zero-day, one affecting only Windows XP users, still remains unpatched despite active exploits targeting the vulnerability, which is found in the NDProxy driver that manages the Microsoft Telephony API. The attacks depend on a second vulnerability to deliver the exploit against an XP machine. Microsoft recommends turning off NDProxy as a mitigation until a patch is available.

While there were five critical bulletins released today, experts urge IT administrators to also prioritize an ASLR bypass vulnerability that was patched today and rated “important” by Microsoft.

MS13-106 takes care of an Office vulnerability that is being exploited in the wild, Microsoft said. Attackers hosting a malicious exploit online can trigger the vulnerability in the hxds.dll that enables a bypass of ASLR or Address Space Layout Randomization, a security feature in Windows that mitigates memory corruption exploits.

“The vulnerability could allow security feature bypass if a user views a specially crafted webpage in a web browser capable of instantiating COM components, such as Internet Explorer,” Microsoft said in its advisory. “The security feature bypass by itself does not allow arbitrary code execution. However, an attacker could use this ASLR bypass vulnerability in conjunction with another vulnerability, such as a remote code execution vulnerability that could take advantage of the ASLR bypass to run arbitrary code.”

ASLR bypasses have been more frequent this year, and have been rolled into a number of exploit kits. Introduced in Windows Vista, ASLR hampers the reliability of exploits by negating an attacker’s ability to predict where machine instructions will exist in memory. ASLR is particularly effective against buffer overflow attacks.

“This particular library, hxds.dll, has been used by numerous attacks in the wild with great success because it can be easily loaded into memory from a web page by using the ‘ms-help:’ protocol handler,” said Craig Young, security researcher at Tripwire. “Until today, the only options that protect against this were the removal of Office 2007/2010 installs or enabling Microsoft’s Enhanced Mitigation Experience Toolkit (EMET).”

Admins will also have to contend with yet another cumulative update for Internet Explorer. MS13-097 patches a number of remote code execution vulnerabilities in the browser, all the way back to IE 6. IE has been patched almost monthly this year and has been front and center in numerous targeted attacks.

Microsoft also patched a critical bug in its Authenticode signing algorithm that is being exploited. MS13-098 allows remote code execution if a user is enticed to run an application that contains a malicious and signed portable execution file. The patch modifies how the WinVerifyTrust function handles Windows Authenticode signature verification for PE files, Microsoft said.

“Attackers have been abusing installers from legitimate software makers to install malware. These installers are configured in a way to dynamically download code extensions that are not checked for correct signatures, and attackers have found a way to piggyback on that mechanism,” said Qualys CTO Wolfgang Kandek, who added that the patch prepares the system for a more stringent integrity check that prevents such exploits. Microsoft also issued a separate security advisory regarding the Authenticode patch, that after June 10, 2014 it will no longer recognize non-compliant signed binaries.

The two remaining critical bulletins, MS13-099 and MS13-105, patch remote code execution vulnerabilities in Microsoft Scripting Runtime Object Library and Exchange Server respectively. Three of the four Exchange vulnerabilities addressed in the bulletin, it’s worth noting, are publicly disclosed. The most serious is in the WebReady Document Viewing and DLP features of Exchange Server, Microsoft said.

The remaining bulletins—rated “important”—address one remote code execution bug, three privilege escalation issues and an information disclosure vulnerability:

  • MS13-100 patches a remote code execution vulnerability in Microsoft SharePoint Server; an attacker would have to be authenticated to the server to exploit the vulnerability. A successful exploit would enable an attacker to run code in the context of the W3WP service account on the SharePoint site.
  • MS13-101 fixes a privilege elevation issue in Windows Kernel-Mode Drivers. An attacker would have to log onto a system and run a malicious application to exploit the bug.
  • MS13-102 is a patch for a vulnerability in the LRPC Client that would allow an attacker to elevate their privileges on an LRPC server. Doing so would allow an attacker to install programs, manipulate data or create accounts. Valid credentials are needed to exploit this bug.
  • MS13-103 patches a vulnerability in ASP.NET SignalIR that could elevate an attacker’s privileges if they are able to reflect Javascript back to the user’s browser. Microsoft also issued an advisory for a flaw in ASP.NET view state that exists when Machine Authentication Code (MAC) validation is disabled through configuration settings.
  • MS13-104 is a fix for an information disclosure vulnerability in Microsoft Office. Successful exploits could give an attacker access tokens used to authenticate a user on a SharePoint or Office server site.

Microsoft also sent out an advisory that revokes the digital signatures for nine private, third-party UEFI modules for Windows 8 and Windows Server 2012 machines. These modules would be loaded during a UEFI Secure Boot, if it is enabled.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.