April has turned out to be a rather slow month for Patch Tuesday. There are nine bulletins addressing a total of 13 vulnerabilities, but only two of the bulletins are rated “critical,” a category that means an attacker can get control over the targeted machine. The remaining bulletins are all rated “important,” in large part because they require the attacker to have access to the targeted machine in order to exploit the flaws.
It’s the Thursday before April’s Patch Tuesday, and Microsoft’s Advance Notice has gone live.
There are nine bulletins this month, affecting all versions of Windows, some Office and server components and also Windows Defender on Windows 8 and RT. However only two bulletins are rated “critical”.
Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 10 on Windows 8 and RT, and should be on the top of your patching efforts. It is rated “critical” and allows Remote Code Execution through today’s most common attack vector: one of your users browsing to a malicious website. Bulletin 2 is the second vulnerability, rated “critical”, and affects the Windows Operating System, except the newest versions, WIndows 8, Server 2012 and Windows RT (the tablet version).
The remaining bulletins are all rated “important” and affect Windows, the Sharepoint server, — and interestingly a security product — Microsoft’s malware scanner, Windows Defender on Windows 8 and Windows RT. The vulnerabilities addressed in these bulletins typically allow the attacker Escalation of Privilege from a normal user to an admin level user once they are already on the machine or can trick the user to open a specifically-crafted file.
In other important news, the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them, CVE-2013-1899 allows the attacker to delete database files without authentication, leading to data loss and denial of service, and they considered it important enough to warrant last week a pre-announcement of the upcoming release expected this week.
Please keep also in mind that Oracle has scheduled an extra release for Java this month. Normally Java is on a four-month release cycle: February, June and October of each year. Due to the amount and severity of recent vulnerabilities discovered, there will be an additional release that will go live on April 16th.
Last week, the PostgreSQL Project advised its users of an upcoming security patch for a critical security vulnerability in their database server software. All currently supported versions are affected and the patch will be released on Thursday, April 4th. To our knowledge this is the first time that an Open Source project has pre announced a vulnerability and upcoming patch. We expect the release to fix a Remote Code Execution vulnerability in this popular database engine and recommend all PostgreSQL users to upgrade to a secure version as soon as possible, especially if your database server is connected directly to the Internet. The Shodan search engine currently lists over 30,000 systems that have an accessible PostgreSQL server on the Internet.
Underscoring the severity of the vulnerability is an announcement by Heroku, a popular cloud application platform, that has started forcibly upgrading all of customers’ PostgreSQL installations with the patch.
We will update this post as soon as more information becomes available.