Microsoft has just provided advance notice of the Operating System and application patches that are scheduled to be released on Tuesday, May 14. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms13-may There are a total of ten patches. Two of which are identified as CRITICAL for workstation operating systems and both of which apply to all current versions of Windows and also all Internet Explorer versions. The remaining eight patches are identified as IMPORTANT. And affect Windows, .Net framework, Lync, Office and Windows Essentials. The two critical patches address vulnerabilities that would enable remote code execution if they were successfully exploited. The patches designated as IMPORTANT address vulnerabilities that could also allow remote code execution for Lync and all supported versions of Publisher, Visio and Word 2003sp3 for Microsoft Office. The remaining patches address vulnerabilities that could allow an elevation of privilege, denial of service, information disclosure, or spoofing to take place if successfully exploited.
As of this time, it is unknown if the remote code execution vulnerabilities have been publicly disclosed and if reliable exploit code is expected to materialize in the next 30 days. Those aspects of the vulnerabilities will determine if a patch now recommendation will be issued as opposed to a patching as soon as possible recommendation. Additional information will be provided on Tuesday, May 14 following the release of the patches.
Update May 14 – 1:00 p.m.
Microsoft has just released the patches for May 2013. The Windows updates for May DO include patches to the zero day Internet Explorer 8 vulnerability identified on May 6 – see https://technet.microsoft.com/en-us/security/bulletin/ms13-038 for additional details. Further, Microsoft has also released patch https://technet.microsoft.com/en-us/security/bulletin/ms13-037 for a second SET of CRITICAL Internet Explorer vulnerabilities. MS13-037 is the cumulative Internet Explorer patch that fixes 11 vulnerabilities for all versions of Internet Explorer. As a large number of the 11 vulnerabilities are expected to have reliable exploit code developed within the next 30 days, it is recommended that the May patches be applied to workstations as soon as possible. For any Windows XP workstations that use Internet Explorer 8, the MS13-038 patch should be applied immediately.
As of this time, no known exploits exist for the vulnerabilities on Windows Server operating systems. For that reason, for Windows server environments, the patches should be applied as soon as feasible following adequate testing and scheduled to minimize impact to production.
Patches for two other third party (non-Microsoft) products were also issued on May 14. The third party products include Adobe Reader/Acrobat and also Adobe Flash/Air. For Windows systems, version 9.5.4 of Acrobat and Reader and also for the Flash Windows version 11.7.700.169, exploit code has been publicly identified. For that reason, Windows systems running the 9.5.4 version of Reader/Acrobat and or the Windows flash version of 11.7.700.169 should be updated immediately to the new versions of Adobe products.
Additional details are available at:
Adobe Reader and Acrobat update for Windows and Macintosh – updated versions are 11.0.3 and 10.1.7
Adobe Flash and Air update for Windows and Macintosh – updated version is 11.7.700.202