No real surprises from Microsoft this month on the patch front. As is usual for the summer in Redmond things seem to slow down to the essentials.
Similar to last year though, MS has announced some policy changes in addition to fixes.
As Paul noted, there are three critical fixes released today, but two are more important than the third.
First off, MS13-059 fixes 11 remote code execution (RCE) flaws in Internet Explorer, including Internet Explorer 11 beta. This is what Microsoft refers to as a cumulative fix that addresses many different privately reported vulnerabilities.
While there is no reason to believe criminals were aware of these flaws before today, they won’t rest on their laurels. Anytime there is a flaw in Internet Explorer it needs to be top priority in your patch list.
The second critical flaw is MS13-060 and affects users of Microsoft’s aging XP and Server 2003 operating systems. It could allow remote code execution by exploiting a flaw in the OpenType font engine.
This is the third time in recent memory there has been an opportunity to be compromised by a font. Fortunately it only impacts the two oldest supported operating systems.
You do have your plan in place to upgrade all of your XP and 2003 by early 2014, right? Upgrading makes your systems more resilient to attack.
The last critical flaw, MS13-061, impacts Microsoft Exchange 2007, 2010 and 2013. Considering the vulnerabilities addressed by this patch are publicly known, Exchange servers should be updated as a priority.
This includes internal servers as well. These flaws can be exploited by asking a user of Outlook Web Access to open a maliciously crafted file under certain conditions.
The other fixes are for the Windows kernel, RPC, NAT, ADFS and IPv6 network stack.
There are a lot of unresolved issues that can result in denial of service when IPv6 is enabled, it is good to see Microsoft addressing them.
On the announcement front, Microsoft is beginning the process of discontinuing support for digital certificates using MD5 hashes.
They have released two optional updates to the Download Center. One enhances the digital certificate management component of Windows to allow for a more policy-centric approach to what is allowed or disallowed.
The second (which relies on the first) abolishes support for MD5 hashed certificates.
They are available for testing now so that when they are automatically deployed in February 2014 you will have had enough time to ensure it doesn’t break any of your critical applications.
If it your job to assess the importance and priorities for updates at your organization I recommend you take a look at this month’s advice from the team at SophosLabs.
4 comments on “Patch Tuesday for August 2013 – 3 critical, 5 important”
MS has revised bulletin MS13-052, one of the .NET updates in July; this time because they have released some new updates.
“V2.0 (August 13, 2013): Bulletin revised to rerelease the 2840628, 2840632, 2840642, 2844285, 2844286, 2844287, and 2844289 updates. Customers should install the rereleased updates that apply to their systems. See the Update FAQ for more information.”
Watch out for the KB2859537 – it looks like installing it may cause serious problems, especially if installed on Win8.
If Micro$soft made cars instead of buggy, easy to hack software, most of the MS vehicles would spend more time in the garage getting repairs than on the street.
🙂 Respectfully, do you own a new car? My wife's car is in the shop on a regular basis because of low tire pressure warnings and they can't stop it from triggering on a weekly basis. How about the news reports showing car thievs opening car doors with electronic devices and bypassing alarms. I have numerous Windows machines in my home and office, all patched and running smoothly, but I clean and repair machines for friends and family all the time. Sometimes it isn't the software, it is the user – and I'm not referring to you personally.