Qualys Blog

www.qualys.com
wkandek

January 2013 Patch Tuesday Preview

Microsoft just published the Advanced Notification for the first Patch Tuesday of 2013. We will be looking at seven Bulletins, two rated "critical" and the remaining five rated "important." In total a wide variety of software will be updated including all versions of Windows (Windows RT is affected by four bulletins), Office, Sharepoint and System Center Operations Manager.

For IT administrators the focus should be on the two critical bulletins. While the first one affects only Windows 7 and Windows 2008 R2, the second one lists all versions of Windows, plus a number of server software. It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012 under MS12-043.

IT administrators should further take a look at the latest Internet Explorer 0-day vulnerability that Microsoft acknowledged the problem in KB2794220. While it affects Internet Explorer 6, 7 and 8, Microsoft is only aware of working exploits for IE8. They have published a workaround for the issue as a Fix-It and we recommend that organizations evaluate that until Microsoft provides a permanent patch for Internet Explorer itself.

Microsoft also published an advisory with a certificate update that invalidates a fraudulent certificate for *.google.com that was issued by the Turkish CA TURKTRUST. The certificate update will be transparent for organizations that have the automated certificate updater installed . All others , which includes Windows XP users for example, should push out KB2798897 manually to avoid the possibility of having their Web traffic intercepted by someone using the fraudulent certificate. See also the Google announcement and the blog post by Mozilla on the same issue originally discovered in late December by Google.

Please note that later this month, on January 15, Oracle will publish its quarterly Critical Patch Update (CPU) as well.

Leave a Reply