Similar to last year though, MS has announced some policy changes in addition to fixes.
As Paul noted, there are three critical fixes released today, but two are more important than the third.
First off, MS13-059 fixes 11 remote code execution (RCE) flaws in Internet Explorer, including Internet Explorer 11 beta. This is what Microsoft refers to as a cumulative fix that addresses many different privately reported vulnerabilities.
While there is no reason to believe criminals were aware of these flaws before today, they won’t rest on their laurels. Anytime there is a flaw in Internet Explorer it needs to be top priority in your patch list.
The second critical flaw is MS13-060 and affects users of Microsoft’s aging XP and Server 2003 operating systems. It could allow remote code execution by exploiting a flaw in the OpenType font engine.
This is the third time in recent memory there has been an opportunity to be compromised by a font. Fortunately it only impacts the two oldest supported operating systems.
You do have your plan in place to upgrade all of your XP and 2003 by early 2014, right? Upgrading makes your systems more resilient to attack.
The last critical flaw, MS13-061, impacts Microsoft Exchange 2007, 2010 and 2013. Considering the vulnerabilities addressed by this patch are publicly known, Exchange servers should be updated as a priority.
This includes internal servers as well. These flaws can be exploited by asking a user of Outlook Web Access to open a maliciously crafted file under certain conditions.
The other fixes are for the Windows kernel, RPC, NAT, ADFS and IPv6 network stack.
There are a lot of unresolved issues that can result in denial of service when IPv6 is enabled, it is good to see Microsoft addressing them.
On the announcement front, Microsoft is beginning the process of discontinuing support for digital certificates using MD5 hashes.
They have released two optional updates to the Download Center. One enhances the digital certificate management component of Windows to allow for a more policy-centric approach to what is allowed or disallowed.
The second (which relies on the first) abolishes support for MD5 hashed certificates.
They are available for testing now so that when they are automatically deployed in February 2014 you will have had enough time to ensure it doesn’t break any of your critical applications.
If it your job to assess the importance and priorities for updates at your organization I recommend you take a look at this month’s advice from the team at SophosLabs.Follow @chetwisniewski