Microsoft announces five Bulletins for Patch Tuesday, including Office for Mac

Filed Under: Featured, Microsoft, Vulnerability

Midsummer Patch Tuesday (or midwinter, depending on your latitude) takes place on Tuesday 11 June 2013.

As you probably already know, Microsoft publishes an official Advance Notification each month to give you early warning of what's coming.

These early notifications generally don't give any details, summarising only the basics, such as:

  • The number of Bulletins (read: security patches) you'll get.
  • The severity levels (read: urgency) of the patches.
  • The products or components being fixed.
  • Whether a reboot is required.

And June's answers, as briefly as possible, are:

  • Five.
  • One critical and four important.
  • Windows and Office.
  • Yes.

So it sounds on the surface like a light month, with only two remote code execution (RCE) vulnerabilies to worry about.

Take note, however, that Microsoft's Affected Software chart states that one of the RCEs is a vulnerability in Internet Explorer 6 to Internet Explorer 10, on platforms from Windows XP right up to Windows 8 and Windows RT.

That makes it a risk to almost every Windows user out there.

The other RCE, which isn't rated critical, affects Office.

Interestingly, the versions at risk seem to be Office 2003 for Windows, and Office 2011 for Mac, meaning that this isn't just a Windows Patch Tuesday.

→ As usual, Server Core installations aren't affected by the vulnerability in Internet Explorer (nor by the hole in Office), because Server Core deliberately omits the graphical components required to run GUI-based software like browsers, file viewers and word processors. You won't get caught out by surprise on Server Core when you visit a website, look at an image, or open a risky PDF file - for the compellingly simple reason that, by design, you can't do any of those things. We recommend that you use Server Core whenever technically possible.

There's also an update dealing with an elevation-of-privilege (EoP) flaw listed as being simply in "Windows."

The burning question is whether this fix deals with a vulnerability in the Windows kernel recently disclosed by Google researcher Tavis Ormandy, who published a working exploit on the Full Disclosure mailing list about three weeks ago.

Ormandy's initial Full Disclosure post appeared on 17 May 2013, noting that he had found a potentially exploitable vulnerability and asking for help to turn the bug into a working exploit.

Three days later, he'd solved his own problem and published what he claimed to be working exploit for all supported versions of Windows.

Note that EoPs don't always get critical ratings because they're often local exploits that can't be triggered remotely.

In such cases, you have to land before you can expand: you need to break into your victim's computer first, for example by using an RCE, and then use the EoP to "promote" yourself to administrator level.

Of course, if you're able to pull off an RCE in the first place, you can still infect your victim and wreak plenty of havoc, because malware doesn't need root-level access to log keystrokes, steal files, send spam and much more.

But an RCE followed by an EoP makes everything much worse, since any malware you unleash can do much more harm, such as altering system services, sucking data out of memory belonging to other processes, and even manipulating the operating system kernel itself.

So, watch this space (and the SophosLabs Vulnerabilities page) on Tuesday to find out exactly what's been fixed this month.

, , , , , , , ,

You might like

2 Responses to Microsoft announces five Bulletins for Patch Tuesday, including Office for Mac

  1. Nigel · 809 days ago

    Thanks for the heads up on the upcoming patch.

    On a separate matter, I noticed that the head of the article shows the date format as "June 9, 2013", and the patch date format is shown as "Tuesday 11 June 2013" — two different date formats.

    Spelling out the month does help to avoid the confusion between different countries' date formats when only numerals are used, but I'm curious as to why Sophos doesn't use the ISO 8601 date standard (year-month-date-day).

    It's a format that makes the most logical sense, proceeding from the most general (year) to the most specific (day), which is the order of importance when searching or referencing by date.

    • 4caster · 809 days ago

      I thoroughly agree. I've been saving data in this form since before the turn of the century, to ensure that the data always appear in chronological order.

      But, like when we changed from pints, miles and ounces, we old people need time to get used to it. ISO 8601 has only existed for 25 years. Give us a chance! Better still, don't introduce it until all the old people are dead.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog