Microsoft Patch Overview for January 2013

Spread the love

This is based on something that I used to do for a former workplace, usually on patch release day. Patch release day is the second Tuesday of each month, also known as Black Tuesday, especially since other companies have taken to releasing on the same day. It’s not uncommon to see Adobe release Flash and Reader updates on the same day.

These are based in part on my experiences watching Microsoft software and reflect my own opinion where it deviates from Microsoft’s advice. There may be some people interested in an alternate, practical view from someone who will look to target these kinds of things in the future.  I try not to get too technical, but for something like this, there’s only so much techno-jargon that can be removed before it gets distilled down to “Just patch!”  But if none of the following makes sense to you, that’s probably a good path to follow just in case.

Updated 14 Jan 2013 at 17:15 CST: Microsoft released MS13-008 today to address a flaw in Internet Explorer.  The post has been updated to address that.

Notes and Observations

  • Seven bulletins were released covering 12 vulnerabilities. One of the vulnerabilities, MS13-002, has numerous patches depending on the version(s) of XML Core Services installed on a system.
  • The first bulletin, MS13-001, is a print spooler vulnerability that allows code to run as SYSTEM. Print spoolers have been prime targets in the past. This should be a priority for patching on all of your systems.
  • An additional patch, MS13-008, for Internet Explorer 6, 7, and 8 has been released out-of-band on 14 January 2013.  It addresses a vulnerability that is widely and currently being exploited by attackers.  This should be a priority for patching
  • The patch for MS13-007 appears to simply change a default setting. This strikes me as a problem because it might be turned back on by someone who may or may not know of the potential consequences or by someone who has an ulterior motive. Troubleshooting may become difficult at that point if it’s enabled to set up a denial of service condition. A check of the box will show that it’s completely patched but the system is still experience resource exhaustion. This seems to me more a band-aid than a patch.
  • There is no Internet Explorer patch this month. The vulnerability affecting Internet Explorer 6, 7, and 8 that was discovered and publicized at the end of December is still not formally patched, exploit code is public, and its use has been seen in the wild. Microsoft has published a “one-click” fix for it, but it has to be implemented separately from automatic patch downloads.
    • Advice for enterprise users: If possible, make sure that you have something newer than IE8. This isn’t always possible either because you’re on Windows XP or you have software that doesn’t work with anything newer. You also may not be able to use an alternate browser. In this case, look into rolling out the fix above or installing the Enhanced Mitigation Experience Toolkit (EMET). The benefit of EMET is that it works against a wide variety of attacks for which there may be no fix. Support is limited and it’s not perfect, but it can help in some cases before the attack is even known.
    • Advice for home users: Make sure you have the newest available version of Internet Explorer available. For Windows XP, this is IE8. For Vista and 7, this is IE9. For Windows 8 and RT, this is IE10. If you have Windows XP, try to use a different browser (Firefox, Chrome, Opera, or Safari) if at all possible. Installing EMET probably wouldn’t hurt, either.
  • Of the five patches that affect a swath of Windows products, only two of them affect Windows XP. I’m not sure if this is just an oddity or a sign that XP’s code has reached a new maturity level. I suspect it’s the former, but it will still be interesting to watch.
  • Microsoft finished up last year with 83 bulletins. That sounds like a lot, but it’s better than the 100 published the year before and many of the 2012 bulletins were variations on a library load path vulnerability. They started last year with seven bulletins, the same as this year. Maybe this year will see a continued decline.

Chart Guidance

  • Enterprise Severity denotes the timetable in which I believe enterprises should try to patch the affected vulnerabilities and may differ from Microsoft’s severity decision. Differences are usually based on historic targeting habits of attackers who go after certain vulnerabilities (SMB, RDP, print spoolers) more often. The need for effective patch review is not removed, of course, and different businesses have different needs. In some cases, there may be mitigating factors that may allow a somewhat more relaxed timetable. Nevertheless, those rated with a severity of 1: Critical should be considered to be priority in almost any environment.
    • Enterprise Severity Levels:
      1. Critical: Currently being exploited, publicly available exploit code, and/or likely to be easily exploitable in the very near future. Patch within 7 days.
      2. High: Not known to be public or public with strong mitigating factors. Patch within 30 days.
      3. Low: Not known to be public and not likely to be a reliable exploit. Patch on next scheduled update cycle or within 90 days.
  • Home Severity is not included because it is almost always the same: patch it as soon as it’s released! It’s extremely rare for a patch to break things (only one patch that I can think of was re-released last year for breaking something, and even then it affected a minority of users), so it’s best to just install every patch as it’s released.
  • Patches are almost always published right around 10:00 Pacific Time on the second Tuesday of each month. Occasional out-of-band patches are also published, but these are uncommon and address vulnerabilities known to be widely exploited.

January 2013 Microsoft Security Bulletin Overview

ID Affected Products Title and Summary Severity/
Impact
Notes Enterprise Severity
MS13-001 Windows 7

Windows Server 2008
(Core affected)
Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1
Addresses 1 issue

Not known to be public

Flaw in handling specially-crafted print jobs

Code executes with system privileges

Likely to be a target for potential attackers

1: Critical

Patch within 7 days
MS13-002 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)

Office 2003
Office 2007
Office Compatibility Pack
Word Viewer

Expression

WebGroove Server 2007
Sharepoint Server 2007

Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution Critical
Remote Code Execution

EI: 1

Addresses 2 issues

Not known to be public

Code executes with current user privileges

2: High

Patch within 30 days

MS13-003 System Center Operations Manager 2007 Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 2 issues

Not known to be public

Reflected cross-site scripting (XSS) vulnerability in SCOM Web Console allows attacker to take action or retrieve information as logged-in user.

2: High

Patch within 30 days

MS13-004 Windows XP
Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2003
Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerabilities in .NET Framework Could Allow Elevation of Privilege Important
Elevation of Privilege

EI: 1

Addresses 4 issues

Not known to be public

An attacker could perform one of several actions against a system including reading otherwise inaccessible memory contents or taking complete control of a system. This applies to both servers running a .NET web application and to clients using a browser to access that web application.

2: High

Patch within 30 days

MS13-005 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation Important
Elevation of Privilege

EI: 1


Addresses 1 issue

Not known to be public

Code may be run at a higher privilege.  An attack against an administrative user could take complete control of the system.  An attack against a lower-privilege user could still gain privileges usually denied.

2: High

Patch within 30 days

MS13-006 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Microsoft Windows Could Allow Security Feature Bypass Important
Security Feature Bypass

EI: N/A

Addresses 1 issue

Not known to be public

A man-in-the-middle attacker can force a silent downgrade of encrypted traffic to SSLv2 which may allow the use of weak, breakable ciphers.

3: Low

Patch on next cycle or within 90 days

MS13-007 Windows Vista
Windows 7
Windows 8
Windows RT

Windows Server 2008
Windows Server 2012
(Core affected)
Vulnerability in Open Data Protocol Could Allow Denial of Service Important
Elevation of Privilege

EI: 3

Addresses 1 issue

Not known to be public

Using a few specially-crafted HTTP requests, an attacker can trigger replication of data and exhaust system resources, triggering a denial of service.

The patch disables WCF Replace by default and can still be enabled even with this patch installed.

3: Low

Patch on next cycle or within 90 days

MS13-008 Internet Explorer 6
Internet Explorer 7
Internet Explorer 8
Security Update for Internet Explorer Critical
Remote Code ExecutionEI: 1
Addresses 1 issueKnown to be public and to be currently and widely exploited
Code executes with current user privileges
 1: CriticalPatch within 7 days

Exploitability Index:
1. Consistent code exploit likely
2. Inconsistent code exploit likely
3. Functioning exploit code unlikely

Highest exploitability of a cumulative patch

Leave a Reply

Your email address will not be published. Required fields are marked *