As frequent Naked Security readers know, I write up most of the Patch Tuesday announcements throughout the year. More often than not I take a measured approach, encourage folks to patch and leave it at that.
This month is one of the exceptions. Not only has Microsoft fixed 56 vulnerabilities, many of them are critical and can be exploited by simply hitting the wrong web site at the wrong moment.
17 of those vulnerabilities are in the 5 critical patches released this morning. The first is probably the most important, MS13-009.
This patch fixes 13 privately disclosed vulnerabilities in Internet Explorer that could result in remote code execution (RCE). In more simple terms, browsing to a malicious web site could result in malware being installed on your computer.
Often the distinction between privately and publicly disclosed vulnerabilities can make a difference as to the urgency of applying the fix. In this case, despite the bugs being privately disclosed Microsoft is warning that exploitation in the wild is imminent.
MS13-010 is a fix for one of the same CVEs included in MS13-009. You might consider it a double-check to make sure all systems are fixed against this particular VML vulnerability.
MS13-011 fixes a publicly known vulnerability in a Windows media codec. Opening a maliciously crafted media file could result in code execution.
Microsoft Exchange servers with Oracle’s Outside In technology could be vulnerable to both a denial of service (DoS) and an RCE if they don’t apply MS13-012.
The last of the critical patches, MS13-020, fixes flaws in the RTF file format that could allow RCE if a malicious RTF is opened in Wordpad or Word. Microsoft warns that this is likely to be exploited in the wild within 30 days.
The remaining fixes are all rated Important and mostly are elevation of privilege (EoP) and DoS vulnerabilities impacting Sharepoint, NFS server, .NET, Windows kernel (33 privately disclosed EoP vulns), TCP/IP and CSRSS.
The advice this Tuesday isn’t any different than any other Patch Tuesday. Patch early, patch often. If you are an Internet Explorer shop though, make sure you prioritize those patches to be deployed as soon as possible.Follow @chetwisniewski