May Patch Tuesday coming up – Microsoft still not sure if latest 0-day fix will make the cut

Microsoft’s Patch Tuesday for May 2013 will be published in the coming week.

It’ll be out on Tuesday 14 May 2013. (Wednesday 14 May for everywhere from about Malaysia eastwards.)

Here’s the elevator pitch:

  • 33 vulnerabilities identified and fixed.
  • Ten separate patches.
  • Eight rated Important. (Apply ASAP.)
  • Two rated Critical. (Apply immediately.)
  • A reboot is required.

Loosely translated, Microsoft’s interpretation of important means that an exploit against the vulnerability is likely to be found, but you’ll probably get some sort of warning, such as a pop-up dialog, if an attacker tries to use it.

On the other hand, critical means not just that a exploit is likely (or already known), but that it can be used silently – what’s known as a drive-by install – without popups or any other kind of warning.

The burning question about the May 2013 Patch Tuesday is this: will it fix CVE-​​2013-​​1347?

This is a remote code execution flaw in Internet Explorer 8 that has already been exploited in the wild to disseminate malware, most notably via a hacked website belonging to the US Department of Labor.

Microsoft has already published a temporary patch for CVE-​​2013-​​1347 in the form of a Fix it tool, and has announced that it would like to have a permanent patch available in time for the coming patch Tuesday.

As Microsoftie Dustin Childs from the Trustworthy Computing team wrote:

Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140 [relating to CVE-2013-1347], supplementing the currently available Fix it.

In plain English, that means: “We’ve got a patch ready. We’d love to ship it out to everyone on Patch Tuesday, but we haven’t quite decided whether it’s 100% ready yet.”

I suggest you assume that Microsoft will miss the Tuesday deadline for the CVE-​2013-​1347 patch, and will publish it in a so-called out of band, one-off update later in May.

In other words, prepare to patch twice in the month.

If Microsoft does hit its deadline, treat it as a handy bonus.

Update: [2013-05-14T20:07Z] Microsoft made it in time! The May 2013 Patch Tuesday update provides an official, permanent fix for CVE-​2013-​1347.