It’s Get Ready For Microsoft Patch Tuesday time again already, and this month’s update will be the tenth anniversary of Microsoft’s regular security bulletins.
As you will have read at the start of the month, October 2013 is also the tenth anniversary of Cybersecurity Awareness Month.
I suspect that’s a coincidence, but it’s worth a smile anyway.
Microsoft has had a slightly rough time with updates lately, with some updates not working properly in August, and others working far too well in September, downloading themselves over and over again.
Despite the problems, however, things haven’t been too bad, so headlines like “A Decade of Botched Updates and Broken PCs” (I shan’t link to it; you can find it if you must) are needlessly discouraging.
(That article goes on to contradict itself almost immediately by describing early updates as trouble-free, so it can safely be dismissed as disingenuous, but it is nevertheless representative of real-world sentiment against Redmond and its patches.)
So, please don’t be discouraged this month, because the marquee update, Bulletin One, is almost certainly a formal fix for the Internet Explorer (IE) zero-day vulnerability that made the news half way through September.
Existing CVE-2013-3893 exploits don’t work against all versions of IE, but they do work even when DEP (data execution prevention) and ASLR (address space layout randomisation) are in play, so you should assume that a really determined attacker could figure out an unlawful way into all versions of Windows running any version of IE, from IE 6 on XP to IE 11 on 8.1.
→ I say “almost certainly a formal fix” because Microsoft’s Advance Notifications don’t actually detail exactly what is going to be fixed. So we can’t be sure that CVE-2013-3893 is being patched for good, but given the seriousness with which Microsoft handled its appearance in the wild, it’s a good guess.
Interestingly, seven out of the eight bulletins this month deal with RCEs, or Remote Code Execution bugs.
That’s where an outsider can send you something that isn’t suppose to cause a silent download – like a document or a web page – and infect you with malware, without so much as an “Are you sure?” dialog, even if all you do is look at it.
Four of these RCEs are branded Critical, which you can take to mean “if you don’t patch this hole, crooks will probably try to sail through it and may very well succeed.”
The other three are merely Important, perhaps because they “only” affect Office and SharePoint server software.
The eighth Bulletin involves an Information Disclosure hole in Silverlight.
As usual, SophosLabs will be publishing its own risk analysis once Microsoft’s publish-no-earlier-than deadline has passed (usally as soon the patches are publicly available), helping you to estimate the likelihood of each vulnerability being exploited if you choose to delay the patch.
The last things to notice as you plan for Tuesday are:
- Reboot required for the big Internet Explorer fix, so you’ll be rebooting most of your boxes.
- Server Core installs are unaffected, proving the wisdom of using the minimalist flavour of Windows wherever you can.
- Mac users get some Patch Love this time round, with an update for Office for Mac 2011 to close an RCE hole.
- Windows 8.1 gets an update to IE 11, so your pre-release adopters will be patching and rebooting too.
Good luck with your Tenth Anniversary of Tuesday patching!
And if you’d like a quick review of terminology like RCE and Information Disclosure, and how to decide whether a Critical patch is more urgent to you than an Important one, why not listen to our recent Techknow Podcast, Understanding Vulnerabilities?
(18 September 2013, duration 15’08”, size 9.1MB)
Download Sophos Techknow – Understanding Vulnerabilities [MP3]: