It is the week before Patch Tuesday May and Microsoft has published its Advance Notification, giving us insight into what to expect next Tuesday.
There will be 10 bulletins this month, covering all versions of Internet Explorer (IE), Microsoft Office and Windows. The fixes for IE include the patch for the current 0-day vulnerability. A total of five bulletins allow for remote code execution (RCE) and should be the focus points for your patching next week.
Bulletin 2 is for the recent IE 8 0-day and is rated “critical” for granting RCE and should be on the top of your list if you are on IE8, which, according to our BrowserCheck statistics, still accounts for about 43 percent of users. Bulletin 1 is also for IE and affects all versions from 6 to 10 on all Windows operating systems from XP to 8, and including RT. It includes the patches for the vulnerabilities discovered at the PWN2OWN competition at CanSecWest in March of this year.
The remaining RCE-type vulnerabilities are concentrated on Microsoft Office. The most widely installed is probably Bulletin 7, which is for Word 2003 and Word Viewer. Bulletin 6 covers the Microsoft Publisher included in Office 2003, 2007 and 2010, and Bulletin 5 is for Microsoft’s instant messaging modules – Communicator 2007 and Lync 2010.
There are also three bulletins (3, 4 and 10) for Windows itself that address Denial of Service, Spoofing and Elevation of Privilege vulnerabilities, all of them local and rated “important.”
Outside of Microsoft, we will also see patches from Adobe. They will release a new version of Adobe Reader next Tuesday. And are also working on a patch for a new 0-day vulnerability in ColdFusion, which is also expected to be released next Tuesday. If you run ColdFusion, which has come under some scrutiny lately from attackers, take a look at the advisory in detailed in APSA13-03.
Author: Wolfgang Kandek, CTO, Qualys.