Advance notice of Microsoft Patches to be released on January 8, 2013 – and other updates for Jan

On Thursday, January 3, Microsoft provided advance notice of the patches that are scheduled to be released on Tuesday, January 8, 2013. The details as they are currently known are available at http://technet.microsoft.com/en-us/security/bulletin/ms13-jan   There are a total of seven bulletins scheduled to be released that include two patches designated as CRITICAL and five designated as IMPORTANT.   The CRITICAL bulletins address vulnerabilities in the following Microsoft products:

Workstation Operating Systems

  • Windows 8
  • Windows RT
  • Windows 7
  • Windows Vista
  • Windows XP

Server Operating Systems

  • Windows Server 2008R2 base and SP1 (64 bit and Itanium versions)

Microsoft Server software

  • SharePoint Server 2007 SP2 and SP3 (32 and 64 bit)
  • Groove Server 2007 SP2 and SP3

Microsoft Office Suites and Software

  • Office 2003 SP3
  • Office 2007 SP2 and SP3

Other Microsoft software

  • Microsoft Word viewer
  • Office Compatibility Pack SP2 and SP3

Developer tools and Software

  • Expression Web Service pack 1
  • Expression Web 2

Patches designated as IMPORTANT apply to all workstation and server operating systems that are supported including Windows 8 and Server 2012. However, it should be noted that the bulletins designated as IMPORTANT would only allow an elevation of privilege* exploit to take place as opposed to a potentially more harmful remote code execution exploit in the case of bulletins designated as CRITICAL.

It is currently unknown if any of the vulnerabilities patched in the January updates are currently being exploited. For that reason no recommendation is available as to the urgency of the application of the patches. Additional information will be provided after the patches are released on Tuesday, January 8.

*Note: Vulnerabilities that allow remote code execution do not require the user to have been authenticated on the system to be successfully exploited.  In contrast, vulnerabilities that enable an elevation of privilege DO require that the user have an account/logon ID on the system (and have successfully authenticated) before malicious software can successfully exploit the vulnerability.

Update Jan 8 1:45 p.m.

Microsoft has provided additional details of the patches released on January 8. While no exploit code has been identified for the most severe patches (MS13-01 and MS13-02), identified with CRITICAL designations, it is recommended that patch MS13-02 for Print Spooler core services be applied to servers when feasible and MS13-01 for MSXML core services be applied to workstations as soon as possible.

Specifics for Print Spooler Vulnerability addressed in MS13-02

The vulnerability for the print spooler has no direct infection vector. To perform a successful exploit, a malicious print job would have to be sent to a shared printer and other users with access to the shared printer would have to use third party (non-Microsoft) products to query the printer for information on the malicious content.

Specifics for MSXML Core Services vulnerability addressed in MS13-01

Reliable exploit code is expected within the next 30 days for the vulnerability addressed with patch MS13-01.  The vulnerability exists in the way Windows parses XML content.  The vulnerability could be exploited if the user browses to malicious web page. Under that condition, malicious content will be installed on the workstation (either as administrator if that is how the user was logged in, or as a limited user if running under a non-admin account).  Additionally, if web browsing is performed from a system running a Windows Server operating system, some inherent protections will be realized due to the restricted mode associated with Internet Explorer Enhanced Security Configuration  integrated within Microsoft Server operating systems.  The enhanced security configuration should limit the exposure for server operating systems that encounter a malicious web page.  However, it is still strongly recommended that no web browsing be performed from Server Systems.

Update 2 – 3:00 p.m.

Software patches were also released for Mozilla Firefox, and Thunderbird on January 8. See the following URLS for details

Adobe also released patches for Acrobat and Reader versions 10.0.4 and 11.0. on January 8. Please see the following URL for details

Update Jan 14 8:00 a.m.

Note: On Jan 7, an active zero day exploit was identified for Java version 1.7.10. Oracle released an updated version of Java on January 13. The updated version is 1.7.11 and can be downloaded from – http://java.com/en/download/index.jsp

Details are available at – http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html

Tags:

Categories: Uncategorized