Today for Patch Tuesday, Microsoft and Adobe are both coming out with critical fixes for a number of widely installed and attacked programs. Microsoft has 10 bulletins addressing a total of 33 vulnerabilities, and Adobe is releasing new versions of Adobe Reader, Adobe Flash and Coldfusion.
It is the week before Patch Tuesday May and Microsoft has published its Advance Notification, giving us insight into what to expect next Tuesday.
There will be 10 bulletins this month, covering all versions of Internet Explorer (IE), Microsoft Office and Windows. The fixes for IE include the patch for the current 0-day vulnerability. A total of five bulletins allow for remote code execution (RCE) and should be the focus points for your patching next week.
It’s the Thursday before April’s Patch Tuesday, and Microsoft’s Advance Notice has gone live.
There are nine bulletins this month, affecting all versions of Windows, some Office and server components and also Windows Defender on Windows 8 and RT. However only two bulletins are rated “critical”.
Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 10 on Windows 8 and RT, and should be on the top of your patching efforts. It is rated “critical” and allows Remote Code Execution through today’s most common attack vector: one of your users browsing to a malicious website. Bulletin 2 is the second vulnerability, rated “critical”, and affects the Windows Operating System, except the newest versions, WIndows 8, Server 2012 and Windows RT (the tablet version).
The remaining bulletins are all rated “important” and affect Windows, the Sharepoint server, — and interestingly a security product — Microsoft’s malware scanner, Windows Defender on Windows 8 and Windows RT. The vulnerabilities addressed in these bulletins typically allow the attacker Escalation of Privilege from a normal user to an admin level user once they are already on the machine or can trick the user to open a specifically-crafted file.
In other important news, the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them, CVE-2013-1899 allows the attacker to delete database files without authentication, leading to data loss and denial of service, and they considered it important enough to warrant last week a pre-announcement of the upcoming release expected this week.
Please keep also in mind that Oracle has scheduled an extra release for Java this month. Normally Java is on a four-month release cycle: February, June and October of each year. Due to the amount and severity of recent vulnerabilities discovered, there will be an additional release that will go live on April 16th.
It is the beginning of March and Microsoft just published the Advance Notice for this month’s Patch Tuesday.
We will get seven bulletins next week, affecting all versions of Windows, some Office components and also Mac OS X, through Silverlight and Office. Four of the bulletins carry the highest severity rating of “critical”.
Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server.
The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.
In other security news, the ZDI’s PWN2OWN competition is currently going on at the CanSecWest security conference in Vancouver. PWN2OWN awards prizes ranging from US$ 20,000 to US$ 100,000 to security researchers who can demonstrate vulnerabilities in the following products: Adobe Flash, Adobe Reader, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Oracle Java. In yesterday’s run, prizes have been claimed for Oracle Java by James Forshaw, Oracle Java again by Joshua Drake, IE10 on Windows 8 by VUPEN, Google Chrome on Windows 7 by a team from MWR Labs, John and Nils and finally Mozilla Firefox and finally Oracle Java, both by the team at VUPEN. Today the competition continues with attacks on Adobe Reader, Adobe Flash and IE10, and is then followed by Google’s Pwnium3, which awards prizes of over US$ 100,000 for vulnerabilities in Google’s ChromeOS.
You can expect patches for these vulnerabilities to be released over the coming weeks. We will keep you updated here, so stay tuned.