Caution With MS13-061 !!

Patch3Microsoft has pulled its MS13-061 Exchange patch.  After reports of content damage to Exchange Server 2013 after deployment, Microsoft has withdrawn the MS13-061 update for Exchange Server released this past Tuesday.  MS013-61 is very important because it allows someone to send an email and get arbitrary code to run on the Exchange server itself.  It’s already publicly disclosed so expect the bad guys to move on this quickly.

Problems do not affect Exchange Server 2007 or 2010 and Microsoft says that those versions can proceed with testing and deployment.  In the meantime, they have removed the patch from Windows Update and other distribution systems.

Knowledge Base article KB2874216 explains the problem in more detail and provides remediation guidance.


  • The content index (CI) for mailbox databases shows “Failed” on the affected server.
  • The Microsoft Exchange Search Host Controller service is missing.
  • You see a new service that is named “Host Controller service for Exchange.”

The KB article describes 2 registry key changes to make. After rebooting the server, the problem should be bypassed.

That is 2 months in a row that MS has pulled a buggy patch back from distribution.

Busy Day For Patches

Happy Valentines Day everyone.  Our vendors are bringing us the gifts of security vulnerability patches.  Lots of them.  Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business.  I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today?  Something to think about…

Microsoft released the expected batch of 9 patches:

  • MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
  • MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
  • MS12-010: Critical Cumulative Security Update for Internet Explorer
  • MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
  • MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
  • MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
  • MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
  • MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
  • MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight  (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 to the Download Center.

Adobe released 2 Security Bulletins:

  • APSB12-02: Critical Security update available for Adobe Shockwave Player.  This update addresses critical vulnerabilities in Adobe Shockwave Player and earlier versions on the Windows and Macintosh operating systems.  These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
  • APSB12-04: Important Security update available for RoboHelp for Word.  This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows.  A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

  •  JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 6 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier

Start planning, testing, and patching, folks.

14 Patches Coming From Microsoft For February

Microsoft will release 14 bulletins for next Tuesday’s update.

3 items are rated “critical” and 11 are rated as “important”.





  • All three critical items deal with remote code execution vulnerabilities in Windows.
  • The important rated bulletins consist of vulnerabilities in Windows, Office, IE, Media Player and Publisher.
    • Seven remote code execution vulnerabilities
    • Three elevation of privileges issues
    • One information disclosure flaw

Get ready to drop some patches next week.  These remote code execution vulnerabilities will only remain “important” for as long as it takes to reverse engineer the patch code and identify the changes.  After that, they become critical.

Microsoft Prepares Threat Intelligence Service

ThreatPost reports that Microsoft is testing a new service to distribute information from captured botnets and other sources to partners, including foreign governments, Computer Emergency Response Teams (CERTs) and private corporations.

Microsoft expects to offer three realtime feeds, which third parties could access for free.  Organizations would provide Microsoft with information on their IT infrastructure, such as an IP address block that they own.  Microsoft would then filter its threat feed by that information, supplying subscribers with data relevant to their infrastructure.  Companies could use the data to look for malware infections, or correlate data on botnet hosts with data on click fraud and other scams.  CERTs might be interested in threats relevant to their region. Microsoft hopes this service will also help smaller organizations battle large, powerful, global botnets, lowering the cost of monitoring and responding to infections.  The company wouldn’t give a timeline for the real time threat feed.

Despite the proliferation of “Bad Microsoft, just fix your code” comments on the ThreatPost site, I see this personally as the right track to take given the current state of things, and applaud the moxy Microsoft is showing in the battle against malware.  Yes, Microsoft and EVERY other vendor needs to constantly improve their code and coding practices.  Blah blah blah.  What will NEVER happen is one day we will wake up and all code will be impervious to attack and exploitation.  We have yet to perfect human creativity, and we are light years away from producing unflawed anything.  Give it a rest.

My concerns with this I hope are addressed before Microsoft opens the feed-gates.  How will the data that is captured from botnet command and control servers, and I suspect from data repositories associated with those C&Cs be managed?  Will it be handed over intact, leaving anyone infected subject to their own personal wiki-leaks in reverse (Government gets your goodies), or will it be properly sanatized to protect individual privacy?  How will this data cleansing be made transparent?  I trust everybody at the table, as long as I can cut the cards and watch the deal…

ASP.NET Attack Code Published

Well, that didn’t take long, did it?  Aren’t you glad you took the advice of so many security bloggers and patched December’s out-of-cycle Microsoft ASP.NET Web development platform vulnerability?

Exploit code for the recently patched denial-of-service (DoS) vulnerability has been published online, increasing the risk of potential attacks.

Webmasters who maintain ASP.NET Web applications should deploy the patches in Microsoft’s MS11-100 security bulletin immediately if they haven’t already done so.  The patch also addresses other ASP.NET vulnerabilities as well.

January 2012 Microsoft Patches

Happy New Year, and here are the first significant Microsoft security patches for 2012.

This month’s patch batch contains 7 new Microsoft Security Bulletins.


Windows Kernel   SafeSEH Bypass Vulnerability MS12-001 Introduces a new “Security Impact” type to the Microsoft Bulletins, “Security Feature Bypass”. This issue is a bypass of the SafeSEH setting on software compiled with Microsoft Visual C++ .NET 2003. In order to make use of it, there must also be a vulnerability in your compiled software. The bypass exists within Windows, and compiled software will not need to be recompiled.


Object Packager   Insecure Executable Launching Vulnerability MS12-002 Similar to the DLL preloading attack, except with Executables rather than DLLs, which means SafeDllSearchMode cannot help mitigate this issue. The issue applies to Microsoft Publisher (.PUB) files, where an attacker could place a malicious file in the same directory as a .PUB file.


CSRSS Elevation of Privilege Vulnerability MS12-003 Affects the Windows Client Server Runtime Subsystem (CSRSS) on double-byte (Unicode) locale (such as Chinese, Japanese, or Korean system locales). Keep in mind that the locale on any system can be changed, so this patch should be applied regardless of the current locale.


DirectShow Remote Code Execution Vulnerability MS12-004  This patch contains two fixes for all except Windows 7 systems. One for DirectShow.
MIDI Remote Code Execution Vulnerability One for the Windows Multimedia Library.  This is the only critical patch for the month, providing a potential drive-by vector related to MIDI files.


Assembly Execution   Vulnerability MS12-005 This patch fixes an issue related to malicious EXEs deployed as a ClickOnce application and embedded within Office Documents.


SSL and TLS   Protocols Vulnerability MS12-006 This patch fixes the well known “BEAST” vulnerability. Apply this patch as soon as possible.


AntiXSS Library  Bypass Vulnerability MS12-007 This patch resolves a bypass in the Microsoft AntiXSS Library similar to MS12-001. Although this should be in the new “Security Feature Bypass” category, the impact is considered Information Disclosure. Again when combined with a flaw in the website that lies behind the AntiXSS library, this vulnerability could be dangerous.

As always, these patches should be tested and implemented as quickly as possible.

Microsoft Sues UK Retail Chain For Pirating Windows

ComputerWorld reports that Microsoft is suing a UK retail electronics chain for selling Windows recovery discs to customers, claiming that the practice amounts to piracy.  I think that they are going to be challenged to make a strong case.  It will be interesting to see how this one unfolds.

Microsoft accuses Comet Group PLC of illegally copying Windows XP and Vista to create operating system recovery discs.  These copies were then sold to Windows desktop and laptops cutomers in 2008 and 2009.  Comet, operating about 250 UK stores, believes it was on solid legal ground.

Comet approached 95,000 PC customers over a 2 year period, and offered to sell them unnecessary recovery discs, according to Microsoft’s anti-piracy legal team.  The recovery software was already provided on the hard drive by the computer manufacturer.

The total take for Comet from this exercise is estimated at about 2.2 million dollars.  Not bad.

So is Comet just fulfilling a need that Microsoft has stopped providing in order to cut costs, or does Comet have some accountability or obligation for controlling how these recovery CDs are used after sale?  My understanding is that Microsoft’s own VAR agreement states that these CDs can be provided by the reseller “for a nominal fee”.  Is $25 a nominal fee?  If the recovery software is on the hard drive, does that preclude the VAR’s abaility to collect the nominal fee and distribute the CDs?  What’s your take on this?