Microsoft’s monthly ‘Patch Tuesday’ update — which occurs every second Tuesday each month — was made available yesterday, and addresses a whopping 57 separate security vulnerabilities in the form of 12 separate security bulletins, and spans dozens of Microsoft platforms and products, including Windows Server, various Windows client OSes, and Internet Explorer. Microsoft outlined all of the separate bulletins in their Security Bulletin for February 2013, and rated five of the bulletins as critical and seven of them as important. Due to the size and severity of the issues being patched, many security experts have said that this is one of the largest and most significant Patch Tuesday updates in recent memory.
According to Chester Wisniewski, a Senior Security Advisor at Sophos Canada, the first bulletin — MS13-009 – Cumulative Security Update for Internet Explorer — is the most important. “This patch fixes 13 privately disclosed vulnerabilities in Internet Explorer that could result in remote code execution (RCE),” Wisniewski writes in the Sophos Naked Security blog. “In more simple terms, browsing to a malicious web site could result in malware being installed on your computer. Often the distinction between privately and publicly disclosed vulnerabilities can make a difference as to the urgency of applying the fix. In this case, despite the bugs being privately disclosed Microsoft is warning that exploitation in the wild is imminent.”
Wolfgang Kandek, CTO of cloud security provider Qualys, thinks that the second most significant bulletin is MS13-010 – Vulnerability in Vector Markup Language Could Allow Remote Code Execution, which concerns a vulnerability that has been discovered in the Active-X Dynamic Link Library (DLL). “It is rated critical and quite urgent to fix because the vulnerability is being exploited in the wild,” Kandek writes in the Qualys Laws of Vulnerabilities blog. “The bug is in the VML (Vector Markup Language) DLL, the ActiveX control for the largely unused XML-based standard format for two-dimensional Vector graphics.”
Microsoft has also provided some additional guidance in the form of a risk assessment table that provides information that should help system administrators prioritize which bulletins are most important and which updates should be applied.
What are your thoughts on the February 2013 patch tuesday release? Drop me an email with your thoughts.