Cumulative Security Update of ActiveX Kill Bits (MS13-090)

ITS Advisory Number: 
2013-108
Date(s) Issued: 
Tuesday, November 12, 2013
Subject: 
Cumulative Security Update of ActiveX Kill Bits (MS13-090)
Overview: 

Microsoft has released a security update which addresses vulnerabilities discovered in multiple ActiveX controls. Exploiting these vulnerabilities could allow an attacker to take complete control of an affected system. ActiveX controls are small programs or animations that are downloaded or embedded in web pages which will typically enhance functionality and user experience. Exploitation may occur if a user visits a web page, or opens an HTML-formatted e-mail which is specifically crafted to take advantage of one or more of these vulnerabilities. Successful exploitation of any of these vulnerabilities could allow an attacker to gain the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8
  • Windows Server 2003
  • Windows Server 2008
  • Windows Server 2012
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Microsoft has released a security update for Active X kill bits. The vulnerability exists in the InformationCardSigninHelper Class ActiveX Control. If a user visits a specially crafted webpage with Internet Explorer the ActiveX control launches without the kill bit being activated. This update addresses the vulnerability by setting kill bits so that the vulnerable control does not run in Internet Explorer. Successful exploitation could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • Apply the security update provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Configure email clients to preview messages in plain-text format, rather than RTF or HTML format.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
References: 
Microsoft:
http://technet.microsoft.com/en-us/security/bulletin/ms13-090
CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3918
OSVDB:
http://www.osvdb.org/show/osvdb/99647