July 2013 patches for Microsoft, Adobe, Oracle

Spread the love

It’s the second Tuesday of the month, and that means it’s Patch Tuesday once again!  Well, for two of the companies mentioned.  Oracle still sees the need to do things their way, so their patches are out a week from today.  Still, be aware that Java might (read: probably will) be patched here in the near future.

But let’s focus on what’s out today, shall we?  I’m going to try to display the information in a useful format without getting into tables and without extending things too long.  Microsoft has 7 patches that address 33 vulnerabilities; Adobe has 3 patches that address 6 vulnerabilities.  They’re all pretty much in the “patch ASAP” category.

Microsoft

  • MS13-052 – Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • .NET Framework on Windows (all versions)
      • Silverlight 5 running on Mac or Windows
    • Vulnerability Count: 7
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Silverlight is a little like Java in that its presence as an application framework is sometimes required for business purposes, but it should be removed where possible.  Unfortunately, Netflix requires it for PC viewing on Windows, so many millions of systems have it installed.  Fortunately, even Microsoft sees an end in sight for Silverlight and has largely discontinued its use.  Here’s hoping that the remaining users also see fit to scrap it.
  • MS13-053 – Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution, Elevation of Privilege
    • Products Affected:
      • Windows (all versions)
    • Vulnerability Count: 8
    • Public Status: 2 disclosed, none in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: One of the public fixes is the bug that Tavis Ormandy found and published a couple of months ago.  Microsoft is downplaying the risk, saying that an attacker needs to have local access for the likely scenario to work, which presumes that a system not patched for this will be patched for everything else or that it won’t come in via e-mail or a web download.  I’ve leveraged it in a pen test through another remote vulnerability that wasn’t patched.  It’s really not hard to do.
  • MS13-054 – Vulnerability in GDI+ Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all verions)
      • Office (all except 2013)
      • Visual Studio .NET 2003
      • Lync Client for Windows (all versions)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: I considered putting this in the 30-day category, but it affects such a wide variety of software that I could not in good conscience do so.  This is probably going to be a quick target for attackers.
  • MS13-055 – Cumulative Security Update for Internet Explorer
    • Severity/Impact: Critical / Remote Code Execution, Information Disclosure
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 17
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s Internet Explorer.  It needs to be patched.  Sixteen of the vulnerabilities are memory corruption reported to Microsoft by at least a dozen people.  Memory corruption is a big topic of research these days.
  • MS13-056 – Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: This has to do with specially-formed GIF files, a file format in very wide use on the Internet, hence the short patch period.
  • MS13-057 – Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution
    • Severity/Impact: Critical / Remote Code Execution
    • Products Affected:
      • Windows (all versions except Server Core)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: Most video is played back in Flash or HTML5, but there are still plenty of ways to get Windows Media Player to play something from the Internet.  Patch soon.
  • MS13-058 – Vulnerability in Windows Defender Could Allow Elevation of Privilege
    • Severity/Impact: Critical / Elevation of Privilege
    • Products Affected:
      • Windows Defender when installed on Windows 7 or Server 2008R2 (does not affect Security Essentials or other Microsoft security software)
    • Vulnerability Count: 1
    • Public Status: Not disclosed, not in widespread use
    • Recommendation: Patch in next 7 days
    • Notes: It’s antivirus software, so you should be patching it pretty much immediately.  However, my actual recommendation is to get a real AV product.  If you’re a business, you need to spend some money, but it’s worth it.  If you’re at home, there are plenty of good, free AV options to go with such as Avast or AVG if you don’t want to buy something.

Adobe

  • APSB13-17 – Critical security update for Adobe Flash Player
  • APSB13-18 – Critical security update for Adobe Shockwave Player
  • APSB13-19 – Critical security update for ColdFusion 10, Important update for 9.x

Leave a Reply

Your email address will not be published. Required fields are marked *