Evolving Response and the March 2013 Bulletin Release

As my career in security response has grown over the years, I am often reminded of the words of Italian author Giuseppe Tomasi Di Lampedusa, who stated, “If we want everything to remain as it is, it will be necessary for everything to change.” There are some things that we wish to stay the same. At Microsoft, we strive to provide protections for our customers while being transparent in our processes and authoritative in our guidance. Of course, as the computing landscape shifts, we must shift with it to reach this goal on a consistent basis.

One recent shift has been the addition of applications made available through the Windows Store. As Mike Reavey mentions in his blog today, quite a bit of thought went into how we would provide security updates for these apps. In the end, our decision provides customers easy access to needed security updates in a timely manner without sacrificing transparency. The process for updating will be identical to any other type of update for a Windows Store app. The difference is that we’ll document the security issue through a security advisory and we’ll update the advisory when we release new updates. You can read the full policy for these apps here.

Another shift we’ve seen involves one of the “10 Immutable Laws of Security.” Law #3 states:

“If a bad guy has unrestricted physical access to your computer, it’s not your computer anymore.”

This law still holds true today. There’s no update we can provide that protects against a literal sledgehammer denial-of-service attack. However, we realized that there is a difference between casual physical access and unrestricted physical access. This month, we are addressing an issue in the Kernel-Mode Drivers (KMD – details below) where an attacker could own your machine by inserting a malicious USB device. While this isn’t the first issue to leverage physical access and USB devices, it is different in that it doesn’t require a machine to be logged on. It also provides kernel-level code execution where previous attacks only allowed code execution at the logged-on level. Because of this, someone with casual physical access, such as a custodian sweeping your office at night or a security guard making his rounds, could simply plug in a USB device to perform any action as an administrator.

This is much different than unrestricted physical access, where that same person would have to steal your machine, boot it using removable media, and decrypt files on the hard drive. While it may be tempting to dismiss this sort of issue since it requires physical access, again, we want to do what is best for the customer. Casual physical access combined with kernel-mode code execution represent a significant enough threat that we released an update to address this issue.

While this style of attack sounds like it could easily fit into the latest Brad Meltzer thriller, applying the update provides the needed protection against this issue. This is also a good reminder for companies to include physical security in their threat modeling.

Of course, neither of these changes are revolutionary, but we recognize we must continue to evolve our processes to match the ongoing evolution of computing and information security. It’s something that we always ask ourselves – is this the best way to protect our customers? Whenever that answer changes from yes to no, we adapt and grow to get that answer back to a solid yes.

Now on to today’s bulletins.

We’re releasing 7 bulletins, four Critical-class and three Important-class, addressing 20 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Server Tools, and Silverlight. For those who need to prioritize deployment, we recommend focusing on MS13-021, MS13-022 and MS13-027 first.

MS13-021 (Microsoft Internet Explorer)

This security update resolves nine issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner. All but one of these issues were privately disclosed and we have not detected any attacks or customer impact for any of the issues.

MS13-022 (Microsoft Silverlight)

This security update resolves an issue Microsoft Silverlight. The vulnerability could allow remote code execution if an attacker hosts a website that contains a specially crafted Silverlight application that could exploit this vulnerability and then convinces a user to view the website. This issue was privately reported and we have not detected any attacks or customer impact.

MS13-027 (Kernel Mode Drivers)

This security update resolves three issue in Microsoft Windows. These vulnerabilities could allow elevation of privilege if an attacker gains access to a system. In a default configuration, an unauthenticated attacker could only exploit this vulnerability if they have physical access to the system. Again, these issues were privately reported and we have not detected any attacks or customer impact.

Please watch the bulletin overview video below for a quick summary of today’s releases.

As always, we recommend that our customers deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month’s severity and exploitability index (click for larger view).

For more information about this month’s security updates, visit the Microsoft Security Bulletin summary webpage.

Andrew Gross and I will host the monthly technical webcast, scheduled for Wednesday, March 13, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about the March security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope you are able to evolve your own response processes to meet your next security challenge, and I look forward to hearing your questions during the webcast.

Thank you,

Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing