Microsoft has issued its routine advance notification for the coming week’s Patch Tuesday.
As usual, the “pre-announcement” is a bit like a bikini: interesting more for what it conceals than what it reveals.
Nevertheless, there’s enough to make sure you’re ready for Tuesday 09 April 2013 (or Wednesday, of course, if you live at the longitude of about Thailand or further east).
This month’s nine updates don’t sound too onerous, with just two at critical level and the remaining seven important, but the critical ones affect Internet Explorer (IE) and Windows itself, and the IE fix will require a reboot.
Just so you know.
Importantly, the IE update applies to all supported versions of the browser, from IE 6 to IE 10, on all supported version of Windows, from XP and Server 2003 to Eight and Server 2012, in both 32-bit and 64-bit flavours.
Server Core installs, happily, aren’t affected by either of the two critical flaws.
→ Internet Explorer isn’t part of a Core install, which doesn’t support GUI applications for safety’s sake. This reduces your attack surface area tremendously and you should go for a Server Core installation whenever you can.
As you may have seen, there has been plenty of speculation that the critical updates will include patches for the IE vulnerabilities exploited in the recent PWN2OWN competition.
Mozilla and Google triumphantly rushed out patches to the holes in Firefox and Chrome that were found at PWN2OWN, closing down the vulnerabilities within 24 hours.
As we remarked at the time, this certainly threw down the patching gauntlet to Microsoft, though we also pointed out that:
Redmond, to be fair, has many more products with much more complex inter-relationships to juggle than Mozilla, and even Google.
With the PWN2OWN rules this year requiring responsible disclosure, meaning that winners had to reveal their attacks to the affected vendors and allow time for a considered and tested fix, it wasn’t actually necessary for Microsoft to rush.
If Redmond’s security team does fix IE’s PWN2OWN bugs on its offical April patch day, it will in my opinion have done a timely job, but until Tuesday, Microsoft is keeping the details up its sleeve.
Note that five of the non-critical patches fix what’s known as elevation of privilege, a trick that allows untrusted software to do things beyond its official authority.
Usually, that means a program running as a regular user can complete operations that would normally require administrator privileges, such as modifying system settings or altering critical files,
As you can imagine, attackers often combine RCE, or remote code execution, with EoP, or elevation of privilege.
They use the RCE to escape from the strictures of your browser, or some other interactive application, and then the EoP to escape from the limitations of your regular login account.
Either sort of exploit is dangerous on its own, but together they are much more harmful.
So plan to patch all the holes, not just the critical ones, and watch out on Naked Security and the SophosLabs Vulnerabilities page for our analysis and assessment of the updates once we’re clear to publish.
(We have to wait until Microsoft has made the updates live before we give away any details.)