Sophos Cloud Optix
SophosLabs has just published its assessment of the March 2013 Microsoft Patch Tuesday updates.
There are seven bulletins this month, dealing with twenty documented vulnerabilities.
Four of the bulletins are deemed critical by Microsoft, and three deal with vulnerabilities that could lead to remote code execution.
Here are the results in one-stop tabular form:
| Bulletin ID | Software component | MS threat level | SophosLabs assessment | Vuln type |
|---|---|---|---|---|
| MS13-021 | Internet Explorer | Critical | High | RCE |
| MS13-022 | Silverlight | Critical | High | RCE |
| MS13-023 | Visio Viewer | Critical | High | RCE |
| MS13-024 | Sharepoint | Critical | Medium | EoP |
| MS13-025 | OneNote | Important | Medium | Leak |
| MS13-026 | Office for Mac | Important | Medium | Leak |
| MS13-027 | Kernel drivers | Important | Medium | EoP |
• RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside.
• EoP means elevation of privilege, where a user or process with limited powers uses a software bug to trick an application or the operating system into carrying out operations that would usually be blocked.
(RCEs often only give remote cybercrooks the same system privileges as the current user; mix in an EoP as well and an attacker may be able to acquire administrative access from afar.)
• Leak means an information disclosure flaw: a possible avenue for an attacker to bypass Access Control Lists (ACLs) or database security settings and view information that is supposed to be private.
Patching order
If you’re the sort of user or administrator who likes to prioritise your patches, I recommend that you stick to Microsoft’s numerical order.
That’s because, in the list above, the severity and risk of the patches decreases from top to bottom.
The obvious biggie is at the very top: this is a cumulative Internet Explorer update that covers off nine separate security holes, one of which is “in the wild,” having been publicly disclosed.
Importantly for the corporate world, this IE patch is needed for Internet Explorer versions from IE 6 all the way to IE 10.
Not even your really new or your really old PCs can be exempted from a prompt update.
So, if you’re an all-Windows shop, this is an patch you’ll want to push out as quickly as you can to everyone.
Clickable vulnerabilities
Of the four critical holes, the vulnerabilities in Internet Explorer, Silverlight and SharePoint are what might be called click-to-own bugs.
That means that simply browsing to a malicious web page could be enough to let an attacker exploit the vulnerability and gain control of your computer.
The Visio flaw requires you actually to open a malevolent Visio file in order to launch the attack.
Nevertheless, Visio files aren’t widely associated with malware attacks in the way that EXEs, DOCs, PDFs and others are.
In other words, talking potential victims into opening a Visio file, even if it is obviously from an unusual source, is likely to be much easier than persuading them to launch an unexpected EXE.
With this in mind, my advice is simple: get on with the critical patches as soon as you can.
Tomorrow would be nice; today would be even better.
You can probably get away with deferring the non-critical patches for a while, if it would make your change control committee happy.
But why wait?
How do I get the patches? Usually, my computer says I need to update, etc., but I haven't seen anything like that. I use Firefox. Can anyone help this technological ignoramus?
Hi hendlefrix,
You can use Windows Update to check for and install any updates for your version of Windows:
For Windows XP, visit http://update.microsoft.com and choose the Custom option if you wish to choose which updates to install. Otherwise use the Express option to install all updates.
For Windows Vista, please find below a link with a video that demos how to use Windows Update:
http://windows.microsoft.com/en-US/windows-vista/…
For Windows 7, please find below a link with a video that demos how to use Windows Update:
http://windows.microsoft.com/en-us/windows7/produ…
For Windows 8, please find below a link that describes how to use Windows Update:
http://windows.microsoft.com/en-us/windows-8/wind…
I hope the above information is of assistance to you. If you require any further advice, please let us know. Thank you.
Did the updates today. On XP Pro it said 6 needed, downloaded and installed them. Rebooted and was told there's another 1 needed. Seems the Windows Update system dropped one that should have been included initially.
On Vista was told there are 7 updates but only 6 were selected. It failed to select the Vista system update! Manually added that with the check box and downloaded/installed all.
Why did the update systems miss out some of the needed updates? Over to you Microsoft.
Seems largely OK, apart from an ongoing issue with the XP system tray icons changing at every reboot. Plus I wonder how well tested these updates are? Past experience is that they test by scripting but not do UAT, so miss faults that users find later.
The IE10 update does NOT apply to Windows 7.
Non-Affected Software
Operating SystemComponent
Windows 7 for 32-bit Systems Service Pack 1Internet Explorer 10
Windows 7 for x64-based Systems Service Pack 1Internet Explorer 10
Windows Server 2008 R2 for x64-based Systems Service Pack 1Internet Explorer 10
Does anyone want to estimate how many Windows 7 users have moved up to IE 10?
My guess (esp. for organisations) is that many (if not most or even almost all) Windows 7 computers will have IE 9.
What do other readers think?
Hi Paul,
Agreed many corporations are going to be a lot more cautious about upgrading.
All 3 of my Windows 7 systems now use IE 10. I have heard many recommending it over IE 9 due to its improved speed (especially in the SunSpider benchmark) and better HTML 5 compliance. IE 10 for Windows 7 seems to have been well received.
For me, it is Enhanced Protected Mode that allows me to always use a 64 bit browser with better security was the deciding factor in upgrading.
Further details are available from:
http://blogs.msdn.com/b/ie/archive/2012/03/14/enh…
http://blogs.msdn.com/b/ie/archive/2012/03/12/enh…
http://blogs.msdn.com/b/ieinternals/archive/2012/…
However, the issue with the following prerequisite Windows 7 platform update might be putting some people off, KB2670838. Here are some relevant links:
http://support.microsoft.com/kb/2670838/en-us
http://support.microsoft.com/kb/2823483/en-us
http://www.infoworld.com/t/microsoft-windows/micr…
My systems have not been affected by BSODs, slow performance or distorted colors in games but it definitely hasn’t helped with getting early adopters of the new browser. Hopefully these issues will be resolved soon.
What are everyone else’s thoughts?
Thank you.
I just installed IE10 on the 2nd round of notices for updates on my Windows 7 64 bit system. It showed up as an update after I rebooted from the first update.
The info is out of date. When I clicked on the "Silverlight MS' link, this is what I got:
"We are sorry. The page you requested cannot be found."
This critical Silverlight update doesn't install without overriding Mac OS X Mountain Lion, because Microsoft apparently still hasn't registered its apps for Apple's security feature, Gatekeeper. Silverlight is bundled in installations of Flip4Mac, but Flip4Mac apparently doesn't included the critical Silverlight update yet.