Microsoft's December 2013 Patch Tuesday security updates feature 11 bulletins addressing 24 vulnerabilities, most notably a patch for a recently discovered zero-day vulnerability in Windows GDI+, a developer library that provides two-dimensional vector graphics support.
Originally made public Nov. 5, Microsoft provided a temporary mitigation for the GDI+ vulnerability later in the month. The pressure to deliver a permanent fix mounted, though, when security vendors FireEye and Symantec released separate reports linking GDI+ zero day to the Operation Hangover attack campaign. FireEye also discovered that a separate collective of attackers, known as the ARx Group, had access to the vulnerability and have been using it to deliver the infamous Citadel banking malware.
Addressed in the first bulletin, MS13-096, the vulnerability occurs in the graphics device interface due to the way TIFF images are handled in Windows Vista, Windows Server 2008, Lync and versions 2003 through 2010 of Microsoft Office. In security advisory 2896666, the Redmond, Wash.-based software vendor noted that an attacker could exploit the GDI+ vulnerability remotely, either by tempting a victim into opening a malicious TIFF file or visiting a website hosting the exploit image, with the attacker potentially gaining the same access rights as the current user.
While the GDI+ vulnerability was expected to be addressed, another high-profile zero day, this one found in the NDProxy that manages the telephony application programming interface (TAPI) in the Windows XP operating system, was not addressed in this round of updates. Dustin Childs, group manager for Microsoft Trustworthy Computing, confirmed in a blog post last week that a permanent fix for the XP zero day, CVE-2013-5065, isn't ready just yet.
"We're still working to develop a security update, and we'll release it when ready," Childs said. "Until then, we recommend folks review the advisory and apply the suggested workaround on their Windows XP and Windows Server 2003 systems. Customers with more recent versions of Windows are not affected by this issue."
According to security advisory 2914486, a successful exploitation of the XP vulnerability could give attackers the ability to run arbitrary code in kernel mode, meaning they could install and manipulate data and create accounts with full admin rights. Microsoft currently recommends rerouting the NDProxy service to Null.sys, though the company said taking such action will negatively affect certain TAPI functions, including virtual private networking (VPN).
Wolfgang Kandek, chief technology officer of vulnerability management vendor Qualys, said that Microsoft's workaround is not without some risk. He explained that the only known exploits of the XP vulnerability in the wild rely on a separate Adobe Reader vulnerability to gain the local access needed to exploit the XP zero day. Since the Reader vulnerability was recently patched by Adobe, Kandek simply recommends that companies update Reader to the latest version for now, especially considering that the workaround could disrupt services handled by NDProxy, including telephony and VPN applications.
"The vulnerability continues to be in Windows, so if somebody can get on to your machine, they could still use it," Kandek said. "It doesn't take care of the problem, but the current attack vector is through PDF documents, so you would eliminate at least that attack vector."
As for the rest of the December Patch Tuesday release, bulletin two, MS13-097, addresses seven vulnerabilities in Internet Explorer (IE) versions 6 through 11. The more severe of the vulnerabilities are remotely exploitable and could provide attackers with the same access rights as the user. Microsoft urges enterprises to apply the first three bulletins first. With the particularly important role that IE plays in many enterprises, Kandek agrees that bulletin two deserves immediate attention.
December Adobe Updates
Separately, Adobe's December 2013 patches include a total of five updates to its products based on discovered security vulnerabilities, with three of those being given the highest priority rating by the company.
In particular, Adobe noted it has been made aware of reports that attackers are tricking users into opening Microsoft Word documents that contain malicious Flash content. The company urges users to update the Flash Player to version 11.6 or later, because the issue has been patched.
Adobe also emphasized that it does not believe any of the bulletins released today are related to the stolen source code the company commented on in October. A full rundown of the updates can be found at the Adobe PSIRT blog.
"I think that is always one thing that I would install as quickly as possible," Kandek said.
Bulletin three, MS13-098, fixes a vulnerability that can be remotely exploited if a user or app runs or installs a malicious portable executable file. The vulnerability is present on several different versions of Windows and Windows Server.
Bulletin four, MS13-099, addresses another remotely exploitable vulnerability that attackers can deploy via malicious websites. Affecting several versions of Windows and Windows Server, the update modifies how objects are handled in memory by the Microsoft Scripting Runtime Object Library.
Bulletin five, MS13-105, remediates four vulnerabilities affecting Microsoft Exchange Server 2007, 2010 and 2013. The vulnerabilities arise due to the recent purchase of the Outside In libraries from Oracle, according to Kandek, which includes a number of graphics formats, the chief one being PDFs. He said that Exchange can only be targeted by these vulnerabilities through Outlook Web Access mode, where users can interact with email via a Web browser instead of the native Outlook client. For enterprises whose users don't depend on Outlook Web access mode, Kandek recommends just shutting it off, because he believes this issue will come up again in future Patch Tuesday releases.
"This is going to happen every three months now, because I'm certain that Oracle will continue to fix and address vulnerabilities in that library," he noted.
Bulletins 6 through 11 have all been deemed important and affect a wide range of Microsoft offerings, including various versions of Windows, Office, Windows Server and certain developer tools, including Visual Studio.
All told, 2013 saw Microsoft issue 106 total software update bulletins. Though that number seems hefty compared with the 83 delivered in 2012, it is right in line with the 100 bulletins of 2011 and the 106 bulletins of 2010. Kandek noted that Microsoft switched to monthly Internet Explorer updates this year, as opposed to the bimonthly updates released last year, which accounts for at least six more bulletins.
"So I think we can expect around 100 bulletins every year now," Kandek said.