SpiderLabs Anterior

So far this year we has had two Patch Tuesday months with seven bulletins (January and March) and two with ten bulletins (April and May) and one with twelve (February) so I am very glad that we only have five bulletins this month. That gives us all more time to go out and enjoy the summer weather. Although just because there is only five bulletins this month doesn’t mean we shouldn’t pay attention to them. First if you are planning ahead note that four of these bulletins will require a restart after installing and the fifth one might, probably depending on what else you have installed.  Definitely pay attention to bulletin number one, which is a critical remote execution flaw in Internet Explorer, which looks like it impacts versions 6 thru 10. The rest are all rated Important, with an Elevation of Privilege, a Denial of Service and an Information Disclosure issue in Windows and a remote code execution issue in Microsoft Office. The interesting part about the Office Patch is that it impacts Office 2003 SP3 and Mac Office 2011

See you next Tuesday with all the gory details!

I keep hoping for an easy relaxing Patch Tuesday of say, only two or three bulletins but so far this year things haven’t been so easy. So far this year we have Patch Tuesdays of seven, ten and seven bulletins, respectfully, and this month we have ten.  (hmm, is there a pattern there?) Not only that we have a zero-day vulnerability in Internet Explorer to deal with. I long for months like September 2012 when there were but two bulletins but I should feel lucky that its not December 2010 or April 2011 when we had no less than seventeen bulletins. I’ll take the ten and be happy. 

This month there are only two critical patches, both covering remote code execution, both in Internet Explorer. The rest are all rated as Important and can be found in Windows, Lync, Publisher and Word. Bulletin Nine is in Windows Essentials, which is a product we haven’t seen much of here on Patch Tuesday. 

There will be ten bulletins released by Microsoft next Tuesday and one of those should be for the recent Internet Explorer zero-day discovered earlier this week.  Buletin 2 should cover the remote code execution of the IE-8 0day while Bulletin 1 will also cover RCE in IE 6 thru 10.  We suspect Bulletin 1 will fix the issue discovered during the PWN2OWN competition at CanSecWest earlier this year.

Bulletins 3, 4, and 10 are in Windows itself including .NET. They are rated Important and cover Denial of Service, Spoofing and Elevation of Privilege vulnerabilities.

Bulletins 5, 6, and 7 are all rated Important and all three result in remote code execution in parts of Microsoft Office. Specifically Communicator and Lync, Publisher and Word in that order.

Bulletin 9 is also rated as Important and results in Information Disclosure in Windows Essentials. Don’t get confused with Security Essentials. Windows Essentials is a free software pack for Windows 7 that includes Mail, Movie Maker, Messenger and other useful apps that Microsoft gives away.

This month we have nine bulletins, two critical covering just fourteen CVEs. The critical bulletins are in Internet Explorer and Remote Desktop Client, two areas we have seen a lot of vulnerabilities. The rest are all rated important. One of those in Windows Defender and one in Active Directory are in areas we haven’t seen much activity lately. 

One thing to keep in mind is that this month marks one year left on support for Windows XP. That means no more security updates or patches for those of you still holding on to XP SP3 which is now five years old. (Windows XP with no service packs is now a teenager.) Some estimates put the installed base of XP at 40% of all PCs, which seems like an absurdly high number. The issue for many larger companies seems to be custom built applications that need to be rewritten to work on newer operating systems and outdated hardware, which in this economy no one wants to pay to update. I guess they can either pay now to update or pay later when they have lost their intellectual property to attackers or their productivity to downtime as a result of attacks.

Ah, April, for most of us the weather is turning warm, birds return to their trees, flowers start blooming and the Red Sox lead the American League East, at least for a day or two. Some of us will get to go outside and enjoy those things and some of us will get to spend some quality time in our server rooms applying patches. We have nine bulletins from Microsoft this month, two of them critical.  Five bulletins deal directly with Windows, one with Internet Explorer 6, 7, and 8, one with SharePoint, one with Windows Defender and one that impacts Microsoft InfoPath 2010, SharePoint, Groove Server and Office Web Aps.

Saint Patrick’s day is quickly becoming Saint Patrick’s week. Some cities have scheduled their parade a week earlier than the actual day, which I guess means an extended period of green beer. Hopefully the luck of Irish is with you this month as Microsoft rolls out seven bulletins that may impact your systems. If they attackers get lucky they could end up execute arbitrary remote code so grab your lucky charm and apply these patches as soon as you can so you go grab some of that green beer before it is all gone.

First the raw numbers; we have seven bulletins this month, four critical, and three important. There are three Remote Code Executions, two Elevation of Privilege and two Information Disclosures.  Two of the patches definitely require a reboot of your machine, three of them might and two you can get away without restarting after installation.

All right that’s the numbers, lets look at what we are dealing with here. Bulletin One is RCE, is rated as critical and impacts just about every version of Windows from XP SP3 on up and Internet Explorer 6 thru 10.  My guess is this will probably be a use after free vulnerability, we’ve seen a lot of those lately, they impact a lot of stuff and often result in in RCE.