The February 2013 Microsoft Patch Tuesday bulletin was released with 12 advisories and is bigger than average, which means security and IT teams will be busier than average. It’s both good and bad news that the patches are mostly clustered on Windows, without dipping too much into Office or more esoteric specialty Microsoft products.
It’s good because administrators probably don’t have to worry about applying multiple patches for the same advisory to a single host. It’s bad because an organization with even the simplest deployment of Microsoft products will probably be hit by all of these advisories, meaning their desktop and server teams will be extra busy.
The exceptions to the OS vulnerability trend are bulletins 4, which applies to MS Exchange 2007, and 2010 and bulletin 5, which applies to Microsoft FAST Search Server 2010. Bulletin 4 (affecting Microsoft Exchange) is listed as critical, which could mean it is something that a malformed email message would trigger.
If so, this will be the most directly exploitable of the advisories and should be a top priority. Similarly, a vulnerability impacting a search service probably relates to a malformed message or document header which could trigger something in the indexing server.
Bulletin 12 only affects Windows XP, but is critical and requires a restart, which means it applies to a portion of the OS that will be in use. This could mean a running or default on service, so this could be a remotely exploitable, wormable issue. For the many organizations that still have a large XP deployment, after patching your Exchange server, this is where I would look next.
Bulletin 3 is also critical and affects Windows XP, 2003, Vista, and 2008 (but not 2008 R2 or Windows 7). This is another important area of focus, along with Bulletins 1 and 2 which apply to Internet Explorer 6, 7, 8, 9, & 10. One can never under estimate the importance of browser patching. Hopefully Microsoft is getting these patches out ahead of public exploitation.
Bulletins 8, 9, & 11 are operating system privilege escalations, so they probably represent another round of windows internal applications or kernel patching. Don’t underestimate the value of these issues, because this type of vulnerability is often exploited in conjunction with a browser vulnerability in order to elevate from user to administrator or system level access.
Rounding out the group are two DoSes (bulletins 6 & 10), which are noteworthy at this time only in that they buck the trend and apply to more recent OS versions. Bulletin 6 applies to server 2008 and 2012, bulletin 10 is Vista or later.
Author: Ross Barrett, Senior Manager of Security Engineering at Rapid7.