Microsoft Patch Tuesday – seven bulletins, four critical, three RCEs, and even a fix for Macs

SophosLabs has just published its assessment of the March 2013 Microsoft Patch Tuesday updates.

There are seven bulletins this month, dealing with twenty documented vulnerabilities.

Four of the bulletins are deemed critical by Microsoft, and three deal with vulnerabilities that could lead to remote code execution.

Here are the results in one-stop tabular form:

Bulletin ID Software component MS threat level SophosLabs assessment Vuln type
MS13-021 Internet Explorer Critical High RCE
MS13-022 Silverlight Critical High RCE
MS13-023 Visio Viewer Critical High RCE
MS13-024 Sharepoint Critical Medium EoP
MS13-025 OneNote Important Medium Leak
MS13-026 Office for Mac Important Medium Leak
MS13-027 Kernel drivers Important Medium EoP

RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside.

EoP means elevation of privilege, where a user or process with limited powers uses a software bug to trick an application or the operating system into carrying out operations that would usually be blocked.

(RCEs often only give remote cybercrooks the same system privileges as the current user; mix in an EoP as well and an attacker may be able to acquire administrative access from afar.)

Leak means an information disclosure flaw: a possible avenue for an attacker to bypass Access Control Lists (ACLs) or database security settings and view information that is supposed to be private.

Patching order

If you’re the sort of user or administrator who likes to prioritise your patches, I recommend that you stick to Microsoft’s numerical order.

That’s because, in the list above, the severity and risk of the patches decreases from top to bottom.

The obvious biggie is at the very top: this is a cumulative Internet Explorer update that covers off nine separate security holes, one of which is “in the wild,” having been publicly disclosed.

Importantly for the corporate world, this IE patch is needed for Internet Explorer versions from IE 6 all the way to IE 10.

Not even your really new or your really old PCs can be exempted from a prompt update.

So, if you’re an all-Windows shop, this is an patch you’ll want to push out as quickly as you can to everyone.

Clickable vulnerabilities

Of the four critical holes, the vulnerabilities in Internet Explorer, Silverlight and SharePoint are what might be called click-to-own bugs.

That means that simply browsing to a malicious web page could be enough to let an attacker exploit the vulnerability and gain control of your computer.

The Visio flaw requires you actually to open a malevolent Visio file in order to launch the attack.

Nevertheless, Visio files aren’t widely associated with malware attacks in the way that EXEs, DOCs, PDFs and others are.

In other words, talking potential victims into opening a Visio file, even if it is obviously from an unusual source, is likely to be much easier than persuading them to launch an unexpected EXE.

With this in mind, my advice is simple: get on with the critical patches as soon as you can.

Tomorrow would be nice; today would be even better.

You can probably get away with deferring the non-critical patches for a while, if it would make your change control committee happy.

But why wait?