Microsoft announces five Bulletins for Patch Tuesday, including Office for Mac

Midsummer Patch Tuesday (or midwinter, depending on your latitude) takes place on Tuesday 11 June 2013.

As you probably already know, Microsoft publishes an official Advance Notification each month to give you early warning of what’s coming.

These early notifications generally don’t give any details, summarising only the basics, such as:

  • The number of Bulletins (read: security patches) you’ll get.
  • The severity levels (read: urgency) of the patches.
  • The products or components being fixed.
  • Whether a reboot is required.

And June’s answers, as briefly as possible, are:

  • Five.
  • One critical and four important.
  • Windows and Office.
  • Yes.

So it sounds on the surface like a light month, with only two remote code execution (RCE) vulnerabilies to worry about.

Take note, however, that Microsoft’s Affected Software chart states that one of the RCEs is a vulnerability in Internet Explorer 6 to Internet Explorer 10, on platforms from Windows XP right up to Windows 8 and Windows RT.

That makes it a risk to almost every Windows user out there.

The other RCE, which isn’t rated critical, affects Office.

Interestingly, the versions at risk seem to be Office 2003 for Windows, and Office 2011 for Mac, meaning that this isn’t just a Windows Patch Tuesday.

→ As usual, Server Core installations aren’t affected by the vulnerability in Internet Explorer (nor by the hole in Office), because Server Core deliberately omits the graphical components required to run GUI-based software like browsers, file viewers and word processors. You won’t get caught out by surprise on Server Core when you visit a website, look at an image, or open a risky PDF file – for the compellingly simple reason that, by design, you can’t do any of those things. We recommend that you use Server Core whenever technically possible.

There’s also an update dealing with an elevation-of-privilege (EoP) flaw listed as being simply in “Windows.”

The burning question is whether this fix deals with a vulnerability in the Windows kernel recently disclosed by Google researcher Tavis Ormandy, who published a working exploit on the Full Disclosure mailing list about three weeks ago.

Ormandy’s initial Full Disclosure post appeared on 17 May 2013, noting that he had found a potentially exploitable vulnerability and asking for help to turn the bug into a working exploit.

Three days later, he’d solved his own problem and published what he claimed to be working exploit for all supported versions of Windows.

Note that EoPs don’t always get critical ratings because they’re often local exploits that can’t be triggered remotely.

In such cases, you have to land before you can expand: you need to break into your victim’s computer first, for example by using an RCE, and then use the EoP to “promote” yourself to administrator level.

Of course, if you’re able to pull off an RCE in the first place, you can still infect your victim and wreak plenty of havoc, because malware doesn’t need root-level access to log keystrokes, steal files, send spam and much more.

But an RCE followed by an EoP makes everything much worse, since any malware you unleash can do much more harm, such as altering system services, sucking data out of memory belonging to other processes, and even manipulating the operating system kernel itself.

So, watch this space (and the SophosLabs Vulnerabilities page) on Tuesday to find out exactly what’s been fixed this month.