June is here: Patches galore!

So June 2013 has arrived, and with it, so many security updates.  Some have been released, some have not, and some won’t be patched until at least next month.

Here are the patches that have been released, or at least scheduled.  (I’m probably not going to do my Microsoft overviews anymore.  They take a LONG time to write up and are useful to only a niche crowd that can find the details elsewhere.  I’ll still post when bad things come along, but not with as much detail.)

Microsoft Windows, IE, and Office

Microsoft released a few patches this week.  Of special note:

  • MS13-047: Internet Explorer gets updates, and a lot of them.  How many?  This update includes fixes for NINETEEN vulnerabilities.  While they weren’t known to be publicly exploited as of Tuesday, frameworks like Metasploit have already caught up to May’s updates, and odds are that June’s updates will be covered soon.
  • MS13-051: Office gets an update (or several of them, judging by Windows Updates for me), covering attacks that are already in the wild.  Yep.  Microsoft patches something the bad guys know is broken.  Time to patch now and break the bad guys’ hearts.

What has not been fixed is Tavis Ormandy’s odd little find from the last month or so.  While it’s a local privilege exploit, don’t dismiss it, as I used it on the path to Domain Administrator access in a recent test.  It absolutely works (sometimes, but for me when it counted).  No word on when it will be addressed, but it probably won’t be before 12 July 2013.

Adobe Flash

Adobe released a Flash update, as they do pretty much every month.  Either update Flash or Chrome (or both for those that run Flash outside of Chrome, which is most of you).  Adobe Reader seems to be unaffected, but here’s a random reminder to check your installed version.  If you’re not on 10.x or 11.x, you’re at serious risk.

Oracle Java

Oracle has not released a Java patch this month…yet.  No, that’s not until next week.  That’s when Oracle releases an update that fixes 40–that’s forty, as in four times ten–known vulnerabilities.  How badly does it affect Java?  The update announcement includes mention of Java 7 b21 and earlier, which isn’t surprising.  But it also mentions Java 6 b45 and earlier, which is funny because Java 6 support was supposed to end in February with a one-time extension in April.  However, it also mentions Java 5 b45 and earlier.  Java 5 was supposed to be EOL last year.  It looks to me like Oracle has had to face the very ugly truth that people don’t upgrade like Oracle wants them to.  Even if they fix Java 7 and 8 with a crash security program such as was seen with Microsoft and Windows XP SP2, I expect that Java problems will be with us for a long, long time to come.