For Patch Tuesday this month, we are receiving critical updates from both Microsoft and Adobe. Microsoft has five bulletins, bringing the six-month total up to 51 bulletins, about 20% more than we had in 2012.
The most important Microsoft bulletin is MS13-047, a new version of Internet Explorer (IE). The bulletin is rated “critical,” addresses 19 vulnerabilities and covers all versions of IE, from IE6 to IE10, running on all versions of Windows, from XP to RT. Given the large number of vulnerabilities fixed, this will be the main target for attackers to reverse engineer and construct an exploit that can be delivered through a malicious webpage. Apply this bulletin as quickly as possible on all workstations that use IE for Internet access.
Our second priority is bulletin MS13-051 for Microsoft Office 2003 on Windows and 2011 for Mac OS X. It addresses a parsing vulnerability for the PNG graphic format that is currently in limited use in the wild. The attack arrives in an Office document and is triggered when the user opens the document. Microsoft rates it only as “important” because user interaction is required, but attackers have shown over and over that getting a user to open a file is quite straightforward. They use social-engineering techniques and send the “right” content to the user under attack – documents that have professional names and contain information that is of interest to the target.
Other fixes are MS13-048, for an Information Disclosure vulnerability; MS13-049, for a DoS problem in the TCP/IP stack of newer Windows systems (Vista+); and MS13-050, a local privilege escalation vulnerability in Windows Print Spooler.
Microsoft is not fixing a recent vulnerability that Tavis Ormandy had alluded to in March and has recently published an exploit for on the full-disclosure mailing list. The 0-day vulnerability allows an attacker already on the machine to gain admin privileges, and we can assume that the underground is working to make that vulnerability part of their arsenal. The vulnerability should be addressed next Patch Tuesday unless wider exploitation in the wild is detected.
Adobe is coming out with a new version of Flash (APSB13-16), which addresses one vulnerabilities, mostly report by Google’s security team. If you use Google Chrome or Microsoft IE10, you will receive this update automatically. Microsoft offers more details in KB2755801.
Apple published its quarterly security fixes last week, with a new version of Safari and Mac OS X. These address numerous critical vulnerabilities and should be installed as quickly as possible. They are unrelated to the newly announced versions of Mac OS X and Safari at the recent WWDC in San Francisco, which will still take a number of weeks for release.
All in all, it’s a smaller Patch Tuesday, but certainly enough work for system administrators, many of whom have to take care of Adobe, Apple and Microsoft.
Author: Wolfgang Kandek, CTO, Qualys.