Microsoft Kicks off 2013 with 7 Security Update Items
Microsoft's January security update, released today, includes two "critical" and five "important" bulletin items that target 12 vulnerabilities. What's noteworthy about this month's patch is that unlike the previous months, remote code execution (RCE) flaws don't make up the majority of bulletin fixes.
According with Microsoft's Trustworthy Computing group, critical bulletin MS13-002, which addresses two different issues in Microsoft XML Core Services that could lead to RCE attacks, should be prioritized first this month. This is because of the relative ease of instigating attack by having an attacker direct a target to a malicious Web site (typically through an e-mailed link).
Also adding to the complexity of this bulletin is that due to the large list of software affected, it will take the most time to fully update systems.
"One thing to watch out for in this type of vulnerability is applying all the patches that apply to a system, e.g. it affects Groove, Office, SharePoint, the OS, and other components," commented Rapid7's Senior Manager, Security Engineering Ross Barrett in an e-mail. "Administrators will have to patch for each affected component. This will require multiple patches for many systems and will almost certainly require a restart."
The second critical item of the month (bulletin MS13-001) addresses a privately reported vulnerability in Windows 7 and Windows Server 2008 R2. The hole could be exploited to carry out an RCE attack if a print server receives a malicious print job from an outside source.
While still rated Microsoft's highest severity level, this bulletin should only be applied after MS13-002 has been installed due to the lower risk associated with it. Typically a print spooler will not accept a job received from outside a firewall. However, if a user's firewall is disabled, their system could be open to attack.
The remaining five items for this month address issues that aren't as high of a risk as the above bulletins. They include:
- MS13-003: Fixes two privately reported issues in Microsoft System Center Operations Manager 2007 that could lead to an elevation of privilege if a malicious Web link was clicked.
- MS13-004: This .NET Framework bulletin takes care of four elevation of privilege flaws associated with the XAML Browser Application in Windows XP.
- MS13-005: The third elevation of privilege vulnerability fix of the month addresses a Windows kernel driver flaw in Windows Vista, 7, 8, Windows Server 2008 R2 and Windows Server 2012.
- MS13-006: If gone unpatched, a flaw in multiple versions of Windows and Windows Server could allow an attacker to bypass the Windows security features if encrypted Web traffic handshakes from a targeted machine were intercepted.
- MS13-007: The final bulletin of the month takes care of a denial of service vulnerability in Windows' Open Data protocol.
IE Zero-Day Goes Unpatched
Many security experts were expecting an Internet Explorer fix this month in the wake of security firm FireEye's announcement on Dec. 28 of a discovered zero day flaw in the Microsoft Internet browser.
While Microsoft did addres that the zero-day flaw, which affects Internet Explorer 6, 7 and 8, with a temporary workaround, Jason Miller, Research Development Manager for VMware, said that due to the nature of the zero-day flaw, a security update is needed as soon as possible because exploitation can still occur even when the workaround applied.
"Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability," said Miller in an e-mailed statement. "As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible."
Microsoft has not commented on whether a fix will come in a future monthly security update or in the form of an out-of-band patch.