Caution With MS13-061 !!

Patch3Microsoft has pulled its MS13-061 Exchange patch.  After reports of content damage to Exchange Server 2013 after deployment, Microsoft has withdrawn the MS13-061 update for Exchange Server released this past Tuesday.  MS013-61 is very important because it allows someone to send an email and get arbitrary code to run on the Exchange server itself.  It’s already publicly disclosed so expect the bad guys to move on this quickly.

Problems do not affect Exchange Server 2007 or 2010 and Microsoft says that those versions can proceed with testing and deployment.  In the meantime, they have removed the patch from Windows Update and other distribution systems.

Knowledge Base article KB2874216 explains the problem in more detail and provides remediation guidance.


  • The content index (CI) for mailbox databases shows “Failed” on the affected server.
  • The Microsoft Exchange Search Host Controller service is missing.
  • You see a new service that is named “Host Controller service for Exchange.”

The KB article describes 2 registry key changes to make. After rebooting the server, the problem should be bypassed.

That is 2 months in a row that MS has pulled a buggy patch back from distribution.

Busy Day For Patches

Happy Valentines Day everyone.  Our vendors are bringing us the gifts of security vulnerability patches.  Lots of them.  Yes, it’s extra work for our IT teams, but removing these vulnerabilities could mean that we all get to keep our jobs, and remain in business.  I was hearing on the news today that Nortel is now coming clean regarding the fact that hackers 0wn3d their network for roughly 10 years, with full and complete access to everything.

Wonder how they got that?

Where is Nortel today?  Something to think about…

Microsoft released the expected batch of 9 patches:

  • MS12-008: Critical Remote Code Execution Vulnerabilities in Windows Kernel-Mode Drivers
  • MS12-009: Important Elevation of Privilege Vulnerabilities in Ancillary Function Driver
  • MS12-010: Critical Cumulative Security Update for Internet Explorer
  • MS12-011: Important Elevation of Privilege Vulnerabilities in Microsoft SharePoint
  • MS12-012: Important Remote Code Execution Vulnerability in Color Control Panel
  • MS12-013: Critical Remote Code Execution Vulnerability in C Run-Time Library
  • MS12-014: Important Remote Code Execution Vulnerability in Indeo Codec
  • MS12-015: Important Remote Code Execution Vulnerabilities in Microsoft Visio Viewer 2010
  • MS12-016: Critical Remote Code Execution Vulnerabilities in .NET Framework and Silverlight  (This one I would recommend holding off on, as Microsoft is expected to re-release after identifying a “metadata (logic) error”.)

Microsoft has also released Update Rollup 1 for Exchange Server 2010 SP2 to the Download Center.

Adobe released 2 Security Bulletins:

  • APSB12-02: Critical Security update available for Adobe Shockwave Player.  This update addresses critical vulnerabilities in Adobe Shockwave Player and earlier versions on the Windows and Macintosh operating systems.  These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system.
  • APSB12-04: Important Security update available for RoboHelp for Word.  This update addresses an important vulnerability in RoboHelp 9 (or 8) for Word on Windows.  A specially crafted URL could be used to create a cross-site scripting attack on Web-based output generated using RoboHelp for Word.

There have also been vulnerabilities and patches announced for Mozilla Thunderbird, Firefox, and an as yet unpatched local exploit POC code release for Yahoo Instant Messanger 11.5.

UPDATE: Oracle released also patches fixing 14 vulnerabilities in:

  •  JDK and JRE 7 Update 2 and earlier
  • JDK and JRE 6 Update 30 and earlier
  • JDK and JRE 5.0 Update 33 and earlier
  • SDK and JRE 1.4.2_35 and earlier
  • JavaFX 2.0.2 and earlier

Start planning, testing, and patching, folks.

14 Patches Coming From Microsoft For February

Microsoft will release 14 bulletins for next Tuesday’s update.

3 items are rated “critical” and 11 are rated as “important”.





  • All three critical items deal with remote code execution vulnerabilities in Windows.
  • The important rated bulletins consist of vulnerabilities in Windows, Office, IE, Media Player and Publisher.
    • Seven remote code execution vulnerabilities
    • Three elevation of privileges issues
    • One information disclosure flaw

Get ready to drop some patches next week.  These remote code execution vulnerabilities will only remain “important” for as long as it takes to reverse engineer the patch code and identify the changes.  After that, they become critical.

78 Oracle Patches Coming

Here come some more patches for January.  Oracle will release 78 security fixes for vulnerabilities in its database, middleware and applications, next Tuesday.

  • The highest CVSS Base Score among the MySQL bugs is 5.5, which falls into the “medium” range.
  • 27 of those are intended for the MySQL database product.
  • 1 of the vulnerabilities can be exploited over a network without log-in credentials.
  • 2 fixes are for Oracle’s database application.
  • 11 patches are for Fusion Middleware.
  • 5 Fusion Middleware bugs can be remotely exploited with no user authentication required.

On the application front:

  • E-Business Suite is getting 3 patches
  • Supply chain app suite will receive 1
  • PeopleSoft will get 6
  • JD Edwards will have 8.

17 patches will be released for Sun products, including 6 that can be remotely exploited with no credentials. Affected products include GlassFish Enterprise Server and the Solaris OS.  Another 3 patches are for Oracle’s virtualization technology, including VirtualBox.

Sharpen up your deployment tools…

ASP.NET Attack Code Published

Well, that didn’t take long, did it?  Aren’t you glad you took the advice of so many security bloggers and patched December’s out-of-cycle Microsoft ASP.NET Web development platform vulnerability?

Exploit code for the recently patched denial-of-service (DoS) vulnerability has been published online, increasing the risk of potential attacks.

Webmasters who maintain ASP.NET Web applications should deploy the patches in Microsoft’s MS11-100 security bulletin immediately if they haven’t already done so.  The patch also addresses other ASP.NET vulnerabilities as well.

January 2012 Microsoft Patches

Happy New Year, and here are the first significant Microsoft security patches for 2012.

This month’s patch batch contains 7 new Microsoft Security Bulletins.


Windows Kernel   SafeSEH Bypass Vulnerability MS12-001 Introduces a new “Security Impact” type to the Microsoft Bulletins, “Security Feature Bypass”. This issue is a bypass of the SafeSEH setting on software compiled with Microsoft Visual C++ .NET 2003. In order to make use of it, there must also be a vulnerability in your compiled software. The bypass exists within Windows, and compiled software will not need to be recompiled.


Object Packager   Insecure Executable Launching Vulnerability MS12-002 Similar to the DLL preloading attack, except with Executables rather than DLLs, which means SafeDllSearchMode cannot help mitigate this issue. The issue applies to Microsoft Publisher (.PUB) files, where an attacker could place a malicious file in the same directory as a .PUB file.


CSRSS Elevation of Privilege Vulnerability MS12-003 Affects the Windows Client Server Runtime Subsystem (CSRSS) on double-byte (Unicode) locale (such as Chinese, Japanese, or Korean system locales). Keep in mind that the locale on any system can be changed, so this patch should be applied regardless of the current locale.


DirectShow Remote Code Execution Vulnerability MS12-004  This patch contains two fixes for all except Windows 7 systems. One for DirectShow.
MIDI Remote Code Execution Vulnerability One for the Windows Multimedia Library.  This is the only critical patch for the month, providing a potential drive-by vector related to MIDI files.


Assembly Execution   Vulnerability MS12-005 This patch fixes an issue related to malicious EXEs deployed as a ClickOnce application and embedded within Office Documents.


SSL and TLS   Protocols Vulnerability MS12-006 This patch fixes the well known “BEAST” vulnerability. Apply this patch as soon as possible.


AntiXSS Library  Bypass Vulnerability MS12-007 This patch resolves a bypass in the Microsoft AntiXSS Library similar to MS12-001. Although this should be in the new “Security Feature Bypass” category, the impact is considered Information Disclosure. Again when combined with a flaw in the website that lies behind the AntiXSS library, this vulnerability could be dangerous.

As always, these patches should be tested and implemented as quickly as possible.

Siemens To Issue SCADA Patches In January

According to Dark Reading, Siemens will release security updates in January to fix product vulnerabilities in the wake of public disclosure of vulnerabilities that could let an attacker take over a control system without need of a username or password.  Billy Rios posted details in his blog of some of the vulnerabilities he and Terry McCorke found and reportedin May.

Siemens confirmed it was in the process of fixing the flaws after initially denying their existence.   Riosclaims to have reported roughly 1,000 bugs in industrial control system products during the past few years, and decided to go public after a Siemens PR representative told a reporter that the company had no outstanding bug reports.

He went public with the authentication bypass bug as well as two other issues: Simatic uses a default password, and changing that password to one containing a special character (question mark, exclamation point, etc.), the password automatically reverts back without the user’s knowledge.   That default password likely aided the hacker “prof,” who accessed the water utility system in South Houston.

A Siemens spokesperson says it was all a big misunderstanding.  The firm had no intention of denying vulnerabilities it was working on.   Siemens issued a statement on its website: “Siemens was notified by IT experts about vulnerabilities in some of its automation products.  These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels.  We are aware of the reported vulnerabilities, first reported in May 2011.  Our development had immediately taken action and addressed these issues.  The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012.  In December 2011 further vulnerabilities have been reported which are currently under investigation.  We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.”