Advance notice of February 2013 Microsoft patches – to be released on Feb 12.

Microsoft has just provided advance notice of the patches to be released on Tuesday, February 12. Details are available at http://technet.microsoft.com/en-us/security/bulletin/ms13-feb  Its safe to say, it will be a significant patch month, most definitely for workstations but some also apply to servers.

From what I am reading there are a total of 12 bulletins that will be released and five of them a designated as CRITICAL.  Critical designations have been assigned to patches for Internet Explorer versions 6-10 (for both workstation AND server installations) and also for server systems running Exchange 2007sp3 and Exchange 2010sp2.  If you aren’t using servers for web browsing, the risk is probably somewhat less.  But, I would say now, that it is quite likely the patches for Internet Explorer WILL come with the patch as soon as possible recommendation.

I will provide more details on Tuesday, after Microsoft adds a little more details to their advance notice.

Update February 12 2:00 p.m.

Microsoft has recently provided additional details on the patches that are released for February.  Prior to February 12, none of the vulnerabilities identified as critical had been disclosed publically.  However, the most significant bulletin MS13-09 https://technet.microsoft.com/en-us/security/bulletin/ms13-009 , is associated with vulnerabilities in 13 modules in Internet Explorer.  Further, it is fully expected that reliable exploit code will likely materialize for nine of these vulnerable modules within the next 30 days.  The vulnerability in all of these Internet Explorer modules is a remote code execution and could be exploited if someone browses to a malicious website using Internet Explorer prior to applying the patch. The vulnerability is classified as MODERATE for all server operating systems.

 

Of the other vulnerabilities, MS13-10 https://technet.microsoft.com/en-us/security/bulletin/ms13-010 only deals with single Remote Code Execution vulnerability in VML (or vector markup language). But, it also is exploitable via a malicious webpage being accessed using Internet Explorer.  However of particular concern is, the vulnerability is identified as CRITICAL even for Server Operating Systems for installations that are not only ‘server core installation option’ only.

Update – Feb 13 – 8:00 – there are also indications that the vulnerability associated with MS13-010 is actively being exploited.

February Patch MS13-11, https://technet.microsoft.com/en-us/security/bulletin/ms13-011 is a Remote Code Execution vulnerability in the Media Decompression module and could be exploited if a user opens a malicious media file (.such as mpg) or opens an MS-Office document (such as a power point file), that contains a specially crafted media file.

MS13-020 https://technet.microsoft.com/en-us/security/bulletin/ms13-020 is also designated as critical but it only applies to Windows XP Service Pack3 and concerns a vulnerability in Windows Object Linking and Embedding.

Considering the potential exists for reliable exploit code to materialize in the next 30 days in about 15 different windows modules for both server and workstations, and also Adobe released patches for Flash player on both February 7 and also Feb 12, (http://www.adobe.com/support/security/bulletins/apsb13-05.html ), it is strongly suggested that the Microsoft and also Adobe patches be applied to all systems as soon as possible.

 

It should also be noted, that in the last 8 days, updates have been released for Firefox. Oracle has also indicated that they will be releasing a patch for Java on February 19 according to various sources http://nakedsecurity.sophos.com/2013/02/12/oracle-on-java-we-will-have-patch-tuesday-after-all/

Tags:

Categories: Uncategorized