April 2013 advance notice is out and it forecasts an interesting patching session for Microsoft administrators. There are 9 advisories affecting 16 distinct platforms in 5 categories of Microsoft products, including the not-often-seen patching of “Microsoft Office Web Apps” and “Microsoft Security Software”.
Once again there is an IE patch which is rated critical, but this one differs from last month’s incarnation by applying to all supported versions of IE (6-10) on the relevant platforms, including IE 10 on Windows 7 & 8. Due to the widespread use of IE and subsequently high degree of exposure for any group or individual using it, combined with the severity, this is where I would prioritize patching efforts.
Since there are only two critical advisories this month, it follows that the other critical issue which affects all versions of Windows from XP/2003 to 7/2008R2 is the next highest patching priority. It’s most likely that this is another parsing library bug (hence the required restart), though there is an outside chance that this could prove to be a truly worm-able issue affecting a service available on all Windows versions.
Of the remaining seven advisories, it’s hard to call what the top priority is, and the real risk will depend on your environment. I would lean towards saying that number 8, an elevation of privilege issue which affects Microsoft InfoPath, SharePoint and “Office Web Apps 2010” would be the next biggest cause for concern.
The fourth, sixth and ninth advisories all apply to Windows and are all elevation of privilege vulnerabilities. Based on this information, it’s likely that one, or all, are kernel or kernel driver issues. Four and nine apply to all versions of Windows, while six only applies to Windows 2008 and earlier. I recommend keeping an eye on nine, since it is “out of order” in the advisory notice, which, while may be a very, very slim indication that it came in late or was accelerated due to exploitation in the wild.
The third advisory is an information disclosure issue that only affects SharePoint 2013. Could pose some risk depending on the information disclosed, but likely not a huge concern.
Bulletin five is a denial of service affecting x86 based architecture versions of Windows (Itanium and RT are not listed as affected), so this may be something low level, like the TCP/IP implementation which can take down a host remotely.
And that leaves number seven, lucky number seven, an elevation of privilege issue in Windows Defender affecting Windows 8 and RT. Definitely something to watch out for, since security software likes to pre-process files and this might be relatively easy to trigger once the patch is reversed.
Overall, this month is going to be more challenging than the relative quiet of last month. It will be interesting to see which, if any, are being actively exploited.
Author: Ross Barrett, Senior Manager of Security Engineering at Rapid7.