Microsoft Patch Tuesday – get ready to patch and reboot the lot, including Server Core


It’s Patch Tuesday this week – the last one, indeed, for 2013, the year in which we celebrated the tenth anniversary of Microsoft’s formularised process for security updates.

So here’s our news-in-brief, as usual, to give you a quick summary of what to look forward to on Tuesday.

You’ll be facing a pretty regular-sized effort, with eleven bulletins, five of them critical and six of them closing potential remote code execution (RCE) holes.

The non-critical RCE bug is rated important, which is a level usually used by Microsoft for compromises that provoke some sort of warning or prompt, even if it’s not a very helpful warning (in other words, where there is some visual signal to look out for).

But important is also used for some vulnerabilities that result from “sequences of user actions that do not generate prompts or warnings,” though you and I would probably just say, “drive-by install” or, for that matter, “RCE.”

→ The difference in urgency and timing between criticals and importants has never been terribly clear. You are urged to update the former “immediately” and the latter “at the earliest opportunity,” though quite how you could perform any update earlier than at the earliest opportunity is unclear.

In fact, all of this month’s patches fall into the “earliest opportunity or sooner” category, with none of the eleven rated softer than important.

Affected products include:

  • Windows end-user operating systems
  • Windows server operating systems
  • Office
  • Lync
  • Internet Explorer
  • Exchange
  • Microsoft Developer Tools

The Developer Tools patches apply to ASP.NET SignalR, a programming library that simplifies the coding of cloud-style applications, and Team Foundation Server (TFS), Microsoft’s source code control and code project management system.

If you have developers in your organisation, and you are using TFS, don’t delay this patch.

The vulnerability is an Elevation of Privilege (EoP), rather than a full-blown RCE, but EoPs are risky at the best of times, and can be particularly pernicious in a version control system.

They typically turn any user into an administrator, which, in a programming project control system, could quite literally result in history being rewritten unexpectedly.

We know that cybercrooks have a special interest in getting into, and potentially modifying, your source code.

Amongst other things, it means that they can build their malware into your software up front, saving them from finding and exploiting hitherto unknown vulnerabilities later on.

→ We’ve written recently about a giant source code theft from Adobe; a source code compromise at open source ad server project OpenX; and a sustained, systematic and at least somewhat successful password guessing attack, apparently using a 40,000-strong botnet, at popular online source code repository GitHub.

Talking of EoPs, you will no doubt have read Microsoft’s announcement, at the end of November, of CVE-2013-5065, a kernel-based privilege escalation bug in the driver NDPROXY.SYS on Windows XP.

The CVE-2013-5065 vulnerability is known to have been exploited in the wild.

What we don’t know yet is whether the December 2013 Patch Tuesday fixes that one or not.

It seems probable, given that Bulletin 8 is listed as an EoP in Windows, with updates available only for XP and Server 2003. (That’s the only bulletin that applies exclusively to XP/2003.)

But we shall have to wait until Tuesday tell you for sure.

By the way, this month really is an omnibus (a Latin word meaning “for everyone”) update.

All platforms are affected, from XP to 8.1 and from Server 2003 to 2012, including installs of the stripped-down Server Core variants.

In addition, this month’s Internet Explorer update covers the whole product range, from IE 6 to IE 11.

In short: plan to patch (and to reboot) every Windows-based computer and virtual machine in your business, no later than at the earliest opportunity.