Patch Tuesday preview: April 2013

Security Management

Next week’s Microsoft Patch Tuesday comprises nine bulletins. Only two are rated ‘critical’ with seven rated ‘important’. All versions of Windows are affected, some Office and server components, and Windows Defender on Windows 8 and RT.

“Bulletin 1 is for all versions of Internet Explorer (IE), including the newest IE 10 on Windows 8 and RT, and should be on the top of your patching efforts,” comments Wolfgang Kandek, CTO at Qualys; “and you should update Internet Explorer while you’re at it,” adds Lumension’s forensic analyst Paul Henry. Ziv Mador, director of security research at Trustwave, thinks it may be “another use-after-free vulnerability that we have been seeing so much of the last few months, that results in remote code execution.”

“Bulletin 2 will be your next priority,” suggests Henry. “It impacts Windows 7 and Windows XP critically, which many enterprises are still using in lieu of upgrading to Windows 8.” It doesn’t affect Windows 8 or RT, but with many users, both domestic and corporate, delaying an upgrade to Windows 8, the volume of affected users remains high.

“The remaining bulletins,” comments Kandek, “are all rated ‘important’ and affect Windows, the Sharepoint server, — and interestingly,” he adds, “a security product – Microsoft’s malware scanner, Windows Defender on Windows 8 and Windows RT.” This is Bulletin 7 and can lead to privilege escalation. Mador is also intrigued. “I am mostly curious about how this issue was discovered and disclosed,” he comments. “Windows Defender isn’t something that has seen a lot of attention from researchers but would definitely be a juicy target of attackers.”

Henry, however, is most curious about Bulletin 5, which can lead to denial of service. “We don’t often see denial of service issues, however, so I’m very interested to learn more about Bulletin 5,” he comments. His general advice is to patch Bulletins 1 and 2 first, while “for the rest of the important bulletins, I would patch them in order of what you’re using on your systems.”

But it is the volume of patches that most concerns Alex Horan of CORE Security. “While only two of the announced patches are actually critical, as a security professional, I find the sheer volume of patches this month to be noteworthy,” he comments. “Large numbers of updates lead to more administration and ultimately delays. This can allow critical vulnerabilities to be exploited while less significant concerns simply cloud the security picture.” He also notes that “Bulletin 8 may also represent one of the first reported vulnerabilities for Microsoft Office Web Apps 2010, which would be significant in and of itself.”

Six of the bulletins will require a restart while the remaining three ‘may’ require restart; so although only two are classified as ‘critical’, the potential disruption caused by implementing April’s Patch Tuesday remains high.

Source: Info Security