Microsoft Patch Tuesday - seven bulletins, four critical, three RCEs, and even a fix for Macs

Filed Under: Featured, Microsoft, Vulnerability

SophosLabs has just published its assessment of the March 2013 Microsoft Patch Tuesday updates.

There are seven bulletins this month, dealing with twenty documented vulnerabilities.

Four of the bulletins are deemed critical by Microsoft, and three deal with vulnerabilities that could lead to remote code execution.

Here are the results in one-stop tabular form:

Bulletin ID Software component MS threat level SophosLabs assessment Vuln type
MS13-021 Internet Explorer Critical High RCE
MS13-022 Silverlight Critical High RCE
MS13-023 Visio Viewer Critical High RCE
MS13-024 Sharepoint Critical Medium EoP
MS13-025 OneNote Important Medium Leak
MS13-026 Office for Mac Important Medium Leak
MS13-027 Kernel drivers Important Medium EoP

RCE stands for remote code execution, where attackers may be able to trick the vulnerable software into running program code of their choice by feeding in maliciously-crafted data from the outside.

EoP means elevation of privilege, where a user or process with limited powers uses a software bug to trick an application or the operating system into carrying out operations that would usually be blocked.

(RCEs often only give remote cybercrooks the same system privileges as the current user; mix in an EoP as well and an attacker may be able to acquire administrative access from afar.)

Leak means an information disclosure flaw: a possible avenue for an attacker to bypass Access Control Lists (ACLs) or database security settings and view information that is supposed to be private.

Patching order

If you're the sort of user or administrator who likes to prioritise your patches, I recommend that you stick to Microsoft's numerical order.

That's because, in the list above, the severity and risk of the patches decreases from top to bottom.

The obvious biggie is at the very top: this is a cumulative Internet Explorer update that covers off nine separate security holes, one of which is "in the wild," having been publicly disclosed.

Importantly for the corporate world, this IE patch is needed for Internet Explorer versions from IE 6 all the way to IE 10.

Not even your really new or your really old PCs can be exempted from a prompt update.

So, if you're an all-Windows shop, this is an patch you'll want to push out as quickly as you can to everyone.

Clickable vulnerabilities

Of the four critical holes, the vulnerabilities in Internet Explorer, Silverlight and SharePoint are what might be called click-to-own bugs.

That means that simply browsing to a malicious web page could be enough to let an attacker exploit the vulnerability and gain control of your computer.

The Visio flaw requires you actually to open a malevolent Visio file in order to launch the attack.

Nevertheless, Visio files aren't widely associated with malware attacks in the way that EXEs, DOCs, PDFs and others are.

In other words, talking potential victims into opening a Visio file, even if it is obviously from an unusual source, is likely to be much easier than persuading them to launch an unexpected EXE.

With this in mind, my advice is simple: get on with the critical patches as soon as you can.

Tomorrow would be nice; today would be even better.

You can probably get away with deferring the non-critical patches for a while, if it would make your change control committee happy.

But why wait?

, , , ,

You might like

10 Responses to Microsoft Patch Tuesday - seven bulletins, four critical, three RCEs, and even a fix for Macs

  1. hendlefrix · 902 days ago

    How do I get the patches? Usually, my computer says I need to update, etc., but I haven't seen anything like that. I use Firefox. Can anyone help this technological ignoramus?

  2. MikeP_UK · 901 days ago

    Did the updates today. On XP Pro it said 6 needed, downloaded and installed them. Rebooted and was told there's another 1 needed. Seems the Windows Update system dropped one that should have been included initially.

    On Vista was told there are 7 updates but only 6 were selected. It failed to select the Vista system update! Manually added that with the check box and downloaded/installed all.

    Why did the update systems miss out some of the needed updates? Over to you Microsoft.

    Seems largely OK, apart from an ongoing issue with the XP system tray icons changing at every reboot. Plus I wonder how well tested these updates are? Past experience is that they test by scripting but not do UAT, so miss faults that users find later.

  3. The IE10 update does NOT apply to Windows 7.

    Non-Affected Software

    Operating SystemComponent
    Windows 7 for 32-bit Systems Service Pack 1Internet Explorer 10
    Windows 7 for x64-based Systems Service Pack 1Internet Explorer 10
    Windows Server 2008 R2 for x64-based Systems Service Pack 1Internet Explorer 10

  4. ve1arn · 901 days ago

    I just installed IE10 on the 2nd round of notices for updates on my Windows 7 64 bit system. It showed up as an update after I rebooted from the first update.

  5. Lese Majeste · 901 days ago

    The info is out of date. When I clicked on the "Silverlight MS' link, this is what I got:

    "We are sorry. The page you requested cannot be found."

  6. Security Concern? · 898 days ago

    This critical Silverlight update doesn't install without overriding Mac OS X Mountain Lion, because Microsoft apparently still hasn't registered its apps for Apple's security feature, Gatekeeper. Silverlight is bundled in installations of Flip4Mac, but Flip4Mac apparently doesn't included the critical Silverlight update yet.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog