Microsoft just published the preview for March’s Patch Tuesday with five bulletins (two critical and three important) and there are two big priorities:
Microsoft just added two new bulletins to the lineup. Bulletin #1 is now a critical update for Internet Explorer affecting all versions of the browser from IE6 to IE11. Bulletin #2 is a critical vulnerability in Windows affecting XP to Windows 8 and RT. This makes this Patch Tuesday quite a bit more relevant, with now a pretty normal workload.
The remaining bulletins are all renumbered: the old Bulletins #1 becomes #3, #2 becomes #4, and so on.
Today Microsoft announced its line up for next week’s Patch Tuesday. With only five bulletins, it is quite small again for the second time this year with January’s four-bulletin release. Also for the second time, there is no update to Internet Explorer, which we have grown accustomed to seeing in the monthly releases. We definitely expect an update next month in March, at the very least to get the newest browser out in front of the PWN2OWN competition at CanSecWest that is held on March 12-14.
Microsoft just published security advisory 2914486 describing a new, local vulnerability in Windows XP and Windows 2003. It acknowledges a kernel vulnerability that can be used to gain administrator privileges. It is being abused in the wild in conjunction with a Adobe Reader vulnerability that had a fix published in August 2013. This post on the Fireeye blog has more technical details.
Users that have the latest version of Adobe Reader are immune to the attack, as well as users that are running on Windows Vista or later.
Stay tuned to this blog for updates on the issue.
Microsoft has announced that next week’s November 2013 Patch Tuesday will have eight security bulletins covering both the Windows operating system and Microsoft Office software. In addition, we have a high priority item with the current 0-day vulnerability in a graphics library that is used by Microsoft Office and older versions of Windows, with no patch available so far, but a relatively low impact workaround.
Today’s Microsoft Patch Tuesday for September 2013 brings us 13 bulletins fixing 47 distinct vulnerabilities. Thirteen bulletins is one less than originally announced last week, number fourteen, which applies to .NET and addresses a Denial-of-Service (DoS) vulnerability, is being held back for further testing. Adobe also announced new versions that fix critical vulnerabilities for Flash, Adobe Reader and Shockwave.
Update 2: Microsoft reissued MS13-061 today to include Exchange 2013 again. You should be able to install it now without issues, but it makes sense to test the installation in your environment and/or wait until your next downtime for the installation.
Update: Microsoft has pulled the MS13-061 update for Exchange 2013 because it causes a corruption of the index database. Hopefully you have not been impacted, because you do not install server patches on critical machines right away, which seems like a good cautious measure at the moment. Nevertheless If you have Exchange 2013 and have not installed MS13061 yet then wait. If you have installed it and your installation shows signs of the issue, please take a look a KB2879739 for a workaround involving the editing of registry keys.
It’s the Thursday before April’s Patch Tuesday, and Microsoft’s Advance Notice has gone live.
There are nine bulletins this month, affecting all versions of Windows, some Office and server components and also Windows Defender on Windows 8 and RT. However only two bulletins are rated “critical”.
Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 10 on Windows 8 and RT, and should be on the top of your patching efforts. It is rated “critical” and allows Remote Code Execution through today’s most common attack vector: one of your users browsing to a malicious website. Bulletin 2 is the second vulnerability, rated “critical”, and affects the Windows Operating System, except the newest versions, WIndows 8, Server 2012 and Windows RT (the tablet version).
The remaining bulletins are all rated “important” and affect Windows, the Sharepoint server, — and interestingly a security product — Microsoft’s malware scanner, Windows Defender on Windows 8 and Windows RT. The vulnerabilities addressed in these bulletins typically allow the attacker Escalation of Privilege from a normal user to an admin level user once they are already on the machine or can trick the user to open a specifically-crafted file.
In other important news, the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them, CVE-2013-1899 allows the attacker to delete database files without authentication, leading to data loss and denial of service, and they considered it important enough to warrant last week a pre-announcement of the upcoming release expected this week.
Please keep also in mind that Oracle has scheduled an extra release for Java this month. Normally Java is on a four-month release cycle: February, June and October of each year. Due to the amount and severity of recent vulnerabilities discovered, there will be an additional release that will go live on April 16th.
It is the beginning of March and Microsoft just published the Advance Notice for this month’s Patch Tuesday.
We will get seven bulletins next week, affecting all versions of Windows, some Office components and also Mac OS X, through Silverlight and Office. Four of the bulletins carry the highest severity rating of “critical”.
Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server.
The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.
In other security news, the ZDI’s PWN2OWN competition is currently going on at the CanSecWest security conference in Vancouver. PWN2OWN awards prizes ranging from US$ 20,000 to US$ 100,000 to security researchers who can demonstrate vulnerabilities in the following products: Adobe Flash, Adobe Reader, Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, Oracle Java. In yesterday’s run, prizes have been claimed for Oracle Java by James Forshaw, Oracle Java again by Joshua Drake, IE10 on Windows 8 by VUPEN, Google Chrome on Windows 7 by a team from MWR Labs, John and Nils and finally Mozilla Firefox and finally Oracle Java, both by the team at VUPEN. Today the competition continues with attacks on Adobe Reader, Adobe Flash and IE10, and is then followed by Google’s Pwnium3, which awards prizes of over US$ 100,000 for vulnerabilities in Google’s ChromeOS.
You can expect patches for these vulnerabilities to be released over the coming weeks. We will keep you updated here, so stay tuned.