Patch Tuesday for August 2013 - 3 critical, 5 important

Filed Under: Cryptography, Denial of Service, Featured, Internet Explorer, Microsoft, Vulnerability, Windows

Patch TuesdayNo real surprises from Microsoft this month on the patch front. As is usual for the summer in Redmond things seem to slow down to the essentials.

Similar to last year though, MS has announced some policy changes in addition to fixes.

As Paul noted, there are three critical fixes released today, but two are more important than the third.

First off, MS13-059 fixes 11 remote code execution (RCE) flaws in Internet Explorer, including Internet Explorer 11 beta. This is what Microsoft refers to as a cumulative fix that addresses many different privately reported vulnerabilities.

While there is no reason to believe criminals were aware of these flaws before today, they won't rest on their laurels. Anytime there is a flaw in Internet Explorer it needs to be top priority in your patch list.

The second critical flaw is MS13-060 and affects users of Microsoft's aging XP and Server 2003 operating systems. It could allow remote code execution by exploiting a flaw in the OpenType font engine.

HackedAgainThis is the third time in recent memory there has been an opportunity to be compromised by a font. Fortunately it only impacts the two oldest supported operating systems.

You do have your plan in place to upgrade all of your XP and 2003 by early 2014, right? Upgrading makes your systems more resilient to attack.

The last critical flaw, MS13-061, impacts Microsoft Exchange 2007, 2010 and 2013. Considering the vulnerabilities addressed by this patch are publicly known, Exchange servers should be updated as a priority.

This includes internal servers as well. These flaws can be exploited by asking a user of Outlook Web Access to open a maliciously crafted file under certain conditions.

The other fixes are for the Windows kernel, RPC, NAT, ADFS and IPv6 network stack.

bb530961.IPv6ReadyLogo(en-us,MSDN.10)There are a lot of unresolved issues that can result in denial of service when IPv6 is enabled, it is good to see Microsoft addressing them.

On the announcement front, Microsoft is beginning the process of discontinuing support for digital certificates using MD5 hashes.

They have released two optional updates to the Download Center. One enhances the digital certificate management component of Windows to allow for a more policy-centric approach to what is allowed or disallowed.

The second (which relies on the first) abolishes support for MD5 hashed certificates.

They are available for testing now so that when they are automatically deployed in February 2014 you will have had enough time to ensure it doesn't break any of your critical applications.

If it your job to assess the importance and priorities for updates at your organization I recommend you take a look at this month's advice from the team at SophosLabs.

, , , ,

You might like

4 Responses to Patch Tuesday for August 2013 - 3 critical, 5 important

  1. Sturgeon · 252 days ago

    MS has revised bulletin MS13-052, one of the .NET updates in July; this time because they have released some new updates.

    "V2.0 (August 13, 2013): Bulletin revised to rerelease the 2840628, 2840632, 2840642, 2844285, 2844286, 2844287, and 2844289 updates. Customers should install the rereleased updates that apply to their systems. See the Update FAQ for more information."

  2. Watch out for the KB2859537 - it looks like installing it may cause serious problems, especially if installed on Win8.

  3. Cartman · 252 days ago

    If Micro$soft made cars instead of buggy, easy to hack software, most of the MS vehicles would spend more time in the garage getting repairs than on the street.

    • James · 238 days ago

      :-) Respectfully, do you own a new car? My wife's car is in the shop on a regular basis because of low tire pressure warnings and they can't stop it from triggering on a weekly basis. How about the news reports showing car thievs opening car doors with electronic devices and bypassing alarms. I have numerous Windows machines in my home and office, all patched and running smoothly, but I clean and repair machines for friends and family all the time. Sometimes it isn't the software, it is the user - and I'm not referring to you personally.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.