Microsoft Patch Tuesday Fixes XML Flaws, Blocks Potential Drive-By Attacks3:32 PM EST Tue. Jan. 08, 2013
A Microsoft security update fixes two critical vulnerabilities in XML Core Services that could be used by attackers in drive-by attack campaigns. But, the software giant did not address an Internet Explorer zero-day vulnerability being actively targeted by attackers.
Microsoft issued two critical bulletins and five important bulletins, addressing 12 vulnerabilities in Microsoft Windows, Office Developer Tools and Windows Server as part of its January 2013 Patch Tuesday security updates.
The two critical flaws in XML Core Services can be remotely exploited by an attacker, who exploits the flaws by tricking users into visiting a malicious Web page, infecting them with data stealing malware. The update, outlined in bulletin MS13-002, addresses the way the protocol parses XML content. It affects all supported versions for Microsoft Windows and Office as well as Developer Tools and Server Software.
It's very likely that drive-by attacks will be set up to detect vulnerable systems, said Wolfgang Kandek, CTO of vulnerability management vendor Qualys. Attackers will not have a hard time reverse engineering the vulnerabilities because previous coding errors in XML Core Services were patched in 2012, he said. "It wouldn't be difficult for someone to do the same analysis, find the vulnerabilities and use the same infrastructure to exploit the problem again," Kandek said.
Patching administrators should be careful when testing and deploying the update because a lot of systems are impacted, according to Kandek. Newly installed applications can also potentially introduce an older version of the XML library, reintroducing the flaws, he said.
Noticeably absent, according to patching experts, is a security update addressing an Internet Explorer zero-day vulnerability. Microsoft acknowledged that there have been reports of ongoing attacks targeting the error. The attacks have been linked by Symantec researchers to the Elderwood gang, known for cyberespionage activities and intellectual property theft. Qualys' Kandek said he wouldn't be surprised if Microsoft issued an emergency, out-of-band update addressing the flaw because proof-of-concept code is publicly available, making more widespread attacks possible. Pen testers maintaining the Metasploit framework have also released a module for the attack tool.
Researchers have found a way to bypass the automated workaround issued by Microsoft, making the attack more dangerous, said Jason Miller, manager of research and development at VMware. The issue is rated important and affects all versions of Windows. "Hearing that makes me think that they'll want to accelerate the release," Miller said. "It's difficult for them to pull quick turnaround because we're probably dealing with multiple vulnerabilities."
Miller urged users of IE to install the automated workaround or upgrade to IE 9, as well as recommended updating signatures for antivirus, because most security firms can detect malware attempting to exploit the flaw, he said.
NEXT: Microsoft addresses critical printing error
Microsoft also addressed a critical remote code execution vulnerability in Windows Print Spooler that could be exploited by an attacker sending a malicious print job. The attack can be used by an attacker to corrupt memory, execute malicious code and leapfrog to more sensitive systems. In MS13-001, Microsoft said standard firewall configurations helps mitigate the risk posed by the flaw. The security update affects users of Windows 7 and Windows Server 2008.
In addition, Microsoft issued 5 bulletins rated important. Microsoft fixed two vulnerabilities in System Center Operations Manager that could give an attacker elevated privileges. It repaired four flaws in the NET framework and fixed a flaw in the Windows kernel mode driver and an Open Data protocol vulnerability that could be exploited, causing a server or service to stop responding and restart.
Microsoft also addressed a vulnerability in the implementation of SSL/TLS that could allow an attacker to intercept and view encrypted Web traffic handshakes and can be used in man-in-the-middle attacks, VMware's Miller said. The issue is rated important and affects all versions of Windows.
"This is an interesting vulnerability itself but very difficult to exploit," Miller said. "We're talking about very specific configurations or difficult to exploit vulnerabilities."
PUBLISHED JAN. 8, 2013