April has turned out to be a rather slow month for Patch Tuesday. There are nine bulletins addressing a total of 13 vulnerabilities, but only two of the bulletins are rated “critical,” a category that means an attacker can get control over the targeted machine. The remaining bulletins are all rated “important,” in large part because they require the attacker to have access to the targeted machine in order to exploit the flaws.
This month, the most important bulletin to apply to your infrastructure is MS13-028, which contains a new release of Internet Explorer (IE) covering all versions of the browser starting with IE6 going to IE10, and also including Windows RT, the operating system for mobile devices and tablets. MS13-028 has a score of “2” in the Exploitability Index, indicating that the construction of an exploit for the vulnerability is not entirely straightforward and not expected within the next 30 days. MS13-028 does not include a fix for the vulnerabilities found at last month’s PWN2OWN competition, most likely due to the time constraints imposed by the quality assurance (QA) work necessary for an IE release. The second vulnerability to apply is MS13-029, which fixes a vulnerability in the Remote Desktop Client ActiveX control included in all Windows versions prior to Windows 8. While ActiveX controls can be included in most Windows programs, the most likely attack vector is through a web browser. According to Microsoft EMET provides protection against both MS13-028 and MS13-029.
In addition, two of the “important” bulletins caught our attention: MS13-032 is a Denial of Service attack on Active Directory and should be high on the list for enterprise installations. An attacker can shut down the domain controllers for an organization using only with a single workstation. MS13-034 brings a new version of the Windows Defender Anti-malware program on Windows 8, which can be tricked to execute a program by placing it into the root directory of the boot drive (usually c:\). However, the likelihood of an attack is greatly minimized by the fact that by default this root directory is accessible only to system administrators in Windows 8.
April also brings releases from other vendors:
- Adobe is publishing a new version of its Flash player, APSB13-11, which addresses four vulnerabilities, including the one used by VUPEN during PWN2OWN. Microsoft has updated KB2755801 indicating that a new IE10 will contain the updated Flash player. If you run Google Chrome or Internet Explorer, you will receive the Flash update embedded in these products; for all other users, you will need to roll out this critical update yourself.
- Adobe also has patches for ColdFusion APSB13-10 and their Shockwave Player – APSB13-12
- Meanwhile, the open source project PostgreSQL published a critical fix for a vulnerability in its database last week that allows an unauthenticated attacker to delete data from any reachable database.
- Last but not least, Oracle is publishing a new version of Java next Tuesday, April 16. This new version will address a number of critical vulnerabilities as well. It will be important to install it as Java has been the target of many exploits in the last few months.
This month also rings in the last year of support for the Windows XP operating system. This version of Windows will reach the end of its support lifecycle in April 2014. It will then quickly become a liability for any organization that still depends on its function. In our internal tracking, we still see a large number — 27% of all machines — still using Windows XP, even though the number has dropped significantly from last year’s 57%. By now you should have a plan to migrate away from Windows XP and replace it with a more modern operating system—Windows, Mac OS X, Linux or other operating systems for PCs, or even substitute certain machines by tablets, which are overall much easier to keep updated and thus, more secure.