Microsoft Patch Tuesday - get ready to patch and reboot the lot, including Server Core

Filed Under: Featured, Internet Explorer, Microsoft, Vulnerability, Windows

It's Patch Tuesday this week - the last one, indeed, for 2013, the year in which we celebrated the tenth anniversary of Microsoft's formularised process for security updates.

So here's our news-in-brief, as usual, to give you a quick summary of what to look forward to on Tuesday.

You'll be facing a pretty regular-sized effort, with eleven bulletins, five of them critical and six of them closing potential remote code execution (RCE) holes.

The non-critical RCE bug is rated important, which is a level usually used by Microsoft for compromises that provoke some sort of warning or prompt, even if it's not a very helpful warning (in other words, where there is some visual signal to look out for).

But important is also used for some vulnerabilities that result from "sequences of user actions that do not generate prompts or warnings," though you and I would probably just say, "drive-by install" or, for that matter, "RCE."

→ The difference in urgency and timing between criticals and importants has never been terribly clear. You are urged to update the former "immediately" and the latter "at the earliest opportunity," though quite how you could perform any update earlier than at the earliest opportunity is unclear.

In fact, all of this month's patches fall into the "earliest opportunity or sooner" category, with none of the eleven rated softer than important.

Affected products include:

  • Windows end-user operating systems
  • Windows server operating systems
  • Office
  • Lync
  • Internet Explorer
  • Exchange
  • Microsoft Developer Tools

The Developer Tools patches apply to ASP.NET SignalR, a programming library that simplifies the coding of cloud-style applications, and Team Foundation Server (TFS), Microsoft's source code control and code project management system.

If you have developers in your organisation, and you are using TFS, don't delay this patch.

The vulnerability is an Elevation of Privilege (EoP), rather than a full-blown RCE, but EoPs are risky at the best of times, and can be particularly pernicious in a version control system.

They typically turn any user into an administrator, which, in a programming project control system, could quite literally result in history being rewritten unexpectedly.

We know that cybercrooks have a special interest in getting into, and potentially modifying, your source code.

Amongst other things, it means that they can build their malware into your software up front, saving them from finding and exploiting hitherto unknown vulnerabilities later on.

→ We've written recently about a giant source code theft from Adobe; a source code compromise at open source ad server project OpenX; and a sustained, systematic and at least somewhat successful password guessing attack, apparently using a 40,000-strong botnet, at popular online source code repository GitHub.

Talking of EoPs, you will no doubt have read Microsoft's announcement, at the end of November, of CVE-2013-5065, a kernel-based privilege escalation bug in the driver NDPROXY.SYS on Windows XP.

The CVE-2013-5065 vulnerability is known to have been exploited in the wild.

What we don't know yet is whether the December 2013 Patch Tuesday fixes that one or not.

It seems probable, given that Bulletin 8 is listed as an EoP in Windows, with updates available only for XP and Server 2003. (That's the only bulletin that applies exclusively to XP/2003.)

But we shall have to wait until Tuesday tell you for sure.

By the way, this month really is an omnibus (a Latin word meaning "for everyone") update.

All platforms are affected, from XP to 8.1 and from Server 2003 to 2012, including installs of the stripped-down Server Core variants.

In addition, this month's Internet Explorer update covers the whole product range, from IE 6 to IE 11.

In short: plan to patch (and to reboot) every Windows-based computer and virtual machine in your business, no later than at the earliest opportunity.

, , , , , , , , ,

You might like

13 Responses to Microsoft Patch Tuesday - get ready to patch and reboot the lot, including Server Core

  1. Mrs. Johnson · 668 days ago

    Stopped reading as soon as I read a misspelled word and where "amongst" was used when "among" would have worked.

    • Paul Ducklin · 668 days ago

      Well done!

      PS. Your comment is missing a pronoun right at the start.

      • Troublemaker · 668 days ago

        Apparently, over there at Sinkhole Computer Service they do not have an awareness of Oksferd Anglish.

        • Paul Ducklin · 668 days ago

          My New Oxford Dictionary of English has an entry for "among" which says "also amongst" (with a note "Chiefly Brit.").

          Of course, the complainant (Mrs Johnson, hah!) is having the last laugh. Probably wagered someone "I'll get Duck to respond at length, just you watch, and I shan't need to mention security."

      • des · 666 days ago

        you got him there

    • Fred Sagen · 668 days ago

      Why would you be just smart enough to refer to Sophos for security advice but dumb enough to deliberately avoid reading that advice because of linguistic pedantry?

    • spookiewon · 667 days ago

      IIRC, Mr. Ducklin is British, so he spelled organisation correctly. And my dictionary lists amomgst as an acceptable alternative for among. Yes, among would have worked, but amongst is correct too. This just makes your dismissal of his article absurd, since you seem to be saying he has simply chosen a different word than you would have and used the correct spelling of a word in his native English which isn't your native form of English. How ugly American of you.

      • Paul Ducklin · 667 days ago

        "Mrs Johnson." It's a wind-up, innit? (Think of where you have heard the surnname Johnson before in connection with linguistic law-giving :-)

        Though you are right that I am right, of course :-)

    • Trust Me · 667 days ago

      Bravo, very nice trolling. It amazes me how many people, that I assume are regular readers of Naked Security, fell for this troll. Maybe there should be more articles about identifying trolls?

      Paul - excellent response to Mrs. Johnson. Once again you prove yourself as a master of security, and show a bit of a trolling yourself!

  2. amirul ender · 668 days ago

    Does windows 7 get affected

    • Paul Ducklin · 668 days ago

      Yes, it does.

      From MS's pre-bulletin chart, Win 7 SP 1 (32-bit and 64-bit) gets two "criticals" and an "important" fix for the OS itself.

      There is also a critical security fix for all versions of IE, (at least) one of which (either 8, 9, 10 or 11) you will almost certainly have installed - even if you never actively use it - along with Win 7.

  3. Sam · 668 days ago

    haha, lol good one Paul

  4. Wow. Wish I didn't read the comments.

    I haven't had a virus in ages, and I never worry about security. I also think running a Windows Server is really silly, but I understand why people like you are running a race against malware for the users who don't know better. Updating has always made my systems a little less stable.

    Back in Vista, I couldn't update at all, and that's about when I stopped caring. I try to update once every year, and usually it fails. If it fails, it doesn't particularly matter. I'll get the next release of Windows. Threshold doesn't sound so bad.

    In case you're wondering, I run Windows 8.1, Mac OS X 10.9.1, and Ubuntu 12.04 LTS.

    Anyhow, have a nice day. (ΦωΦ)

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog