May Patch Tuesday coming up - Microsoft still not sure if latest 0-day fix will make the cut

Filed Under: Featured, Microsoft, Vulnerability

Microsoft's Patch Tuesday for May 2013 will be published in the coming week.

It'll be out on Tuesday 14 May 2013. (Wednesday 14 May for everywhere from about Malaysia eastwards.)

Here's the elevator pitch:

  • 33 vulnerabilities identified and fixed.
  • Ten separate patches.
  • Eight rated Important. (Apply ASAP.)
  • Two rated Critical. (Apply immediately.)
  • A reboot is required.

Loosely translated, Microsoft's interpretation of important means that an exploit against the vulnerability is likely to be found, but you'll probably get some sort of warning, such as a pop-up dialog, if an attacker tries to use it.

On the other hand, critical means not just that a exploit is likely (or already known), but that it can be used silently - what's known as a drive-by install - without popups or any other kind of warning.

The burning question about the May 2013 Patch Tuesday is this: will it fix CVE-​​2013-​​1347?

This is a remote code execution flaw in Internet Explorer 8 that has already been exploited in the wild to disseminate malware, most notably via a hacked website belonging to the US Department of Labor.

Microsoft has already published a temporary patch for CVE-​​2013-​​1347 in the form of a Fix it tool, and has announced that it would like to have a permanent patch available in time for the coming patch Tuesday.

As Microsoftie Dustin Childs from the Trustworthy Computing team wrote:

Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140 [relating to CVE-2013-1347], supplementing the currently available Fix it.

In plain English, that means: "We've got a patch ready. We'd love to ship it out to everyone on Patch Tuesday, but we haven't quite decided whether it's 100% ready yet."

I suggest you assume that Microsoft will miss the Tuesday deadline for the CVE-​2013-​1347 patch, and will publish it in a so-called out of band, one-off update later in May.

In other words, prepare to patch twice in the month.

If Microsoft does hit its deadline, treat it as a handy bonus.

Update: [2013-05-14T20:07Z] Microsoft made it in time! The May 2013 Patch Tuesday update provides an official, permanent fix for CVE-​2013-​1347.

, ,

You might like

9 Responses to May Patch Tuesday coming up - Microsoft still not sure if latest 0-day fix will make the cut

  1. Lese Majeste · 478 days ago

    Micro$oft Update: Crucial! Download this latest update to correct the errors in the lst update, which was supposed to correct the errors in the previous update, which had tried to correct errors in the update prior to that one that......

    I'm starting to see a pattern. My next computer will be have a Linux OS.

    • Paul Ducklin · 478 days ago

      That's a little harsh...not least because one of the items we're hoping MS will fix is a zero-day - that's a flaw that, by definition, wasn't known about at the time of the previous update. So it can't be an update to fix the error that was in the previous update :-)

      And, speaking as a Linux user myself (this comment is being typed on a Linux laptop), I can assure you that switching to Linux is not going to liberate you from the need to update regualrly and frequently.

      But I get your point about updates to updates to updates. So you might enjoy this:

      http://nakedsecurity.sophos.com/2013/04/10/adobe-...

    • Paul Ducklin · 477 days ago

      That's exactly the URI I linked to above (twice :-)

      It's the article from which the above quote from Dustin Childs is taken: note that it doesn't *promise* the fix, just says that they're "working to have it" included.

      To be fair to Microsoft, even though I'm sure they have the code patched effectively and reliably (and they implied as much when the _Fix it_ came out), it's still a big ask to shovel the new code into every IE 8 in the universe with just one week's testing.

      They're allowed to be mildly cautious IMO, especially since either the _Fix it_ or the EMET can already squash the vulnerability.

      As I said when I wrote about the Fix it here: http://nakedsecurity.sophos.com/microsoft-rushes-...

      "[Microsoft] might break things that legitimate real-world websites rely on, and thus interfere with the workflow of some of [its] users. Even if the behaviour broken by [the] patch is [itself] a side-effect of the bug... users don't like security 'cures' that give the impression of being worse than the disease."

  2. foo · 477 days ago

    You don't have to get a new computer to switch to Linux. Linux Mint and Ubuntu provide the ability to install Linux within Windows. This gives you dual boot, without messing up your MBR.
    When you boot, if you want to go online, choose Linux. Boot into Windows only when you need to use a Windows program for which there is no Linux equivalent. Using a search engine, you can find lists of Linux equivalents to Windows Programs.
    If you decide that you don't like your installation of Linux, then you can uninstall it in Windows.

  3. MikeP_UK · 477 days ago

    You say that the M$ updates are available Tuesday, Wednesday for everywhere East of about Malaya - surely you mean WEST of Malaya. Here in the UK we don't get to see them until well into Wednesday and we're well West of Malaya. It's all about the way the Earth spins.

    • Paul Ducklin · 477 days ago

      Actually, I think it's more accurate and PC to say "Malaysia" these days...

      The Patch Tuesday updates come out at 10:00 (10am) Pacific time, or a shade earlier, if memory serves, on the second Tuesday of each month. That's 18:00 (6pm) *the same day* in the UK, according to my calculator, but 01:00 (1am) on Wednesday morning in Kuala Lumpur, at least during Northern Hemisphere daylight savings.

      The updates might appear in the UK after the usual working day, but if the clock hasn't got past 23:59 on Tuesday, it's still "Patch Tuesday," wouldn't you say?

      The sun rises in the East...it's all about the way the Earth spins :-)

  4. alex · 476 days ago

    Has Microsoft fixed the security hole in IE10/Windows 8 hacked in the last Pwn2Own 3 month ago ?

    • Paul Ducklin · 476 days ago

      I think that fix is in MS13-037, part of the Patch Tuesday referred to in this article.

      For the record (and to be a little fairer on Microsoft) it was two months ago, and the exploit wasn't in-the-wild. So although it was a pity MS didn't fix it in April's Patch Tuesday, I'd suggest that no harm was done by leaving it until May instead of doing it "out of band" in the middle of the month.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog