Sophos Cloud Optix
It’s Get Ready For Microsoft Patch Tuesday time again already, and this month’s update will be the tenth anniversary of Microsoft’s regular security bulletins.
As you will have read at the start of the month, October 2013 is also the tenth anniversary of Cybersecurity Awareness Month.
I suspect that’s a coincidence, but it’s worth a smile anyway.
Microsoft has had a slightly rough time with updates lately, with some updates not working properly in August, and others working far too well in September, downloading themselves over and over again.
Despite the problems, however, things haven’t been too bad, so headlines like “A Decade of Botched Updates and Broken PCs” (I shan’t link to it; you can find it if you must) are needlessly discouraging.
(That article goes on to contradict itself almost immediately by describing early updates as trouble-free, so it can safely be dismissed as disingenuous, but it is nevertheless representative of real-world sentiment against Redmond and its patches.)
So, please don’t be discouraged this month, because the marquee update, Bulletin One, is almost certainly a formal fix for the Internet Explorer (IE) zero-day vulnerability that made the news half way through September.
That vulnerability, CVE-2013-3893, is being actively exploited in the wild by cybercrooks and Metasploit alike, so it’s pretty much open for anyone to acquire, study, tweak and use.
Existing CVE-2013-3893 exploits don’t work against all versions of IE, but they do work even when DEP (data execution prevention) and ASLR (address space layout randomisation) are in play, so you should assume that a really determined attacker could figure out an unlawful way into all versions of Windows running any version of IE, from IE 6 on XP to IE 11 on 8.1.
→ I say “almost certainly a formal fix” because Microsoft’s Advance Notifications don’t actually detail exactly what is going to be fixed. So we can’t be sure that CVE-2013-3893 is being patched for good, but given the seriousness with which Microsoft handled its appearance in the wild, it’s a good guess.
Interestingly, seven out of the eight bulletins this month deal with RCEs, or Remote Code Execution bugs.
That’s where an outsider can send you something that isn’t suppose to cause a silent download – like a document or a web page – and infect you with malware, without so much as an “Are you sure?” dialog, even if all you do is look at it.
Four of these RCEs are branded Critical, which you can take to mean “if you don’t patch this hole, crooks will probably try to sail through it and may very well succeed.”
The other three are merely Important, perhaps because they “only” affect Office and SharePoint server software.
The eighth Bulletin involves an Information Disclosure hole in Silverlight.
As usual, SophosLabs will be publishing its own risk analysis once Microsoft’s publish-no-earlier-than deadline has passed (usally as soon the patches are publicly available), helping you to estimate the likelihood of each vulnerability being exploited if you choose to delay the patch.
The last things to notice as you plan for Tuesday are:
- Reboot required for the big Internet Explorer fix, so you’ll be rebooting most of your boxes.
- Server Core installs are unaffected, proving the wisdom of using the minimalist flavour of Windows wherever you can.
- Mac users get some Patch Love this time round, with an update for Office for Mac 2011 to close an RCE hole.
- Windows 8.1 gets an update to IE 11, so your pre-release adopters will be patching and rebooting too.
Good luck with your Tenth Anniversary of Tuesday patching!
And if you’d like a quick review of terminology like RCE and Information Disclosure, and how to decide whether a Critical patch is more urgent to you than an Important one, why not listen to our recent Techknow Podcast, Understanding Vulnerabilities?
Listen now:
(18 September 2013, duration 15’08”, size 9.1MB)
Listen later:
Download Sophos Techknow – Understanding Vulnerabilities [MP3]:
Image of birthday balloons courtesy of Shutterstock.
I am beginning to believe that there are an infinite number of security flaws and bugs in Microsoft code.
I'm sure that can't be right. Maybe one of our mathematically-inclined readers could offer a proof that the number of flaws must be bounded above?
My thought is that the number of possible programs is finite (if you consider virtual memory only on 32-bit Windows, there are 2^39 bits' worth of address space to use to store your program, and thus only 2^2^39 possible program configurations), so even if they are all *flawed*, there's a hard limit right there…
I am convinced that the change team does not have performance as a priority as do the programmers of the initial release. Further, I'm sure they don't test as thoroughly. The attitude seems to be "Let's get this out the door and if the users are unhappy they will think it's their old, slow computer and get a new one with the new OS.
Recent patches to WInXP+IE8 have included one (about four months ago) which causes Windows to lose track of which window has focus. When the browser stalls, a keystroke will cause a random window to pop. Broken, but shipped anyhow.
The next month another untested patch causes the browser to hang. Often.
And don't even get me started on memory leaks. Just leave IE8 open for a while (on any page) and look at the memory in Task Manager.
Don't forget performance: slower and slower is all one could say.
Is no one watching the inmates?
Are you serious about “security” and you use WinXP/IE8??? Absurd. Even if you are App-vendor-locked into a legacy platform like WinXP, you should not whine about MS not supporting that platform. It was never their business model to support a high level of security on legacy platforms for this long.
Larry,
XP was released in 2001, IE8 in 2009. I think it might be time to upgrade!