Severity: High
Summary:
- These vulnerabilities affect: Internet Explorer (IE) 10 and earlier
- How an attacker exploits them: Typically, by enticing one of your users to visit a web page with malicious content
- Impact: Various; In the worst case, an attacker can execute code on your user’s computer, often gaining complete control of it
- What to do: Install Microsoft’s Internet Explorer updates immediately, or let Windows Automatic Update do it for you
Exposure:
In a relatively unusual move, Microsoft released two Internet Explorer (IE) security bulletins today, rather than their typical single cumulative update. Combined, the two bulletins fix 14 vulnerabilities in the popular web browser, many of which allow attackers to execute code on vulnerable Windows systems.
We summarize the two bulletins below:
- MS13-009: February IE Cumulative Update
This update fixes 13 vulnerabilities in IE, most of them being “use after free” vulnerabilities similar to the ones Microsoft fixed with last month’s out-0f-cycle IE bulletin. By luring one of your users to a web site containing malicious code, a remote attacker can exploit most of these vulnerabilities to execute code on your computer, with your privileges. As always, if you have local administrator privileges, the attacker could exploit this issue to gain complete control of your computer.
Microsoft rating: Critical
- MS13-010: VML Memory Corruption Vulnerability
Vector Markup Language (VML) is a graphics standard for creating 2D vector illustrations with XML files. The VML component in IE suffers from a memory corruption vulnerability having to do with how it allocates buffers. By enticing your users to a web site with specially crafted content, a remote attacker could exploit this flaw to execute code on that user’s computer, with the user’s privileges. Since most Windows users have local administrative privileges, this sort of attack often gives the attacker complete control of their computers.
Microsoft rating: Critical
Malicious hackers often leverage these types of vulnerabilities in drive-by download attacks, and they also target legitimate web sites and booby-trap them with malicious code. In other words, you can sometimes encounter these sorts of “drive-by download” attacks even while visiting trusted, legitimate web sites. We recommend you update your IE users immediately.
Solution Path:
These updates fix serious issues. You should download, test, and deploy the appropriate IE patches immediately, or let Windows Automatic Update do it for you.
The links below point directly to the “Affected and Non-Affected Software” section of each bulletin, where you can find links to the various updates:
For All WatchGuard Users:
These attacks travel as normal-looking HTTP traffic, which you must allow if your network users need to access the World Wide Web. Therefore, the patches above are your best solution.
That said, WatchGuard’s Gateway Antivirus and Intrusion Prevention Service can often prevent these sorts of attacks, or the malware they try to distribute. For instance, our IPS team has created signatures for the following:
- Various “use after free” vulnerabilities – CVE-2013-0018, CVE-2013-0019, CVE-2013-0020, CVE-2013-0021, CVE-2013-0022, CVE-2013-0023, CVE-2013-0024, CVE-2013-0025, CVE-2013-0026, CVE-2013-0027, CVE-2013-0028, CVE-2013-0029
- JIS character encoding vulnerability – CVE-2013-0015
- VML memory corruption vulnerability – CVE-2013-0030
These signatures will be available in our next IPS update, which should come out shortly. We highly recommend you enable our security services on your WatchGuard XTM and XCS appliances, and keep IPS and AV up to date.
Status:
Microsoft has released patches to fix these vulnerabilities.
References:
This alert was researched and written by Corey Nachreiner, CISSP (@SecAdept).