HEAT Security Blog

Nothing Pretty About Fireworks Delivered From Microsoft This Patch Tuesday

IT admins may have taken the Fourth off to enjoy some fireworks, but they’ll be very busy this week patching their systems. It’s not a pretty Patch Tuesday this month with 7 bulletins, 6 of which are critical. That brings our total of critical bulletins for the year to 22, which is fairly high, considering Microsoft released only 34 critical bulletins for the entire calendar year of 2012. July is one of the uglier releases we’ve seen from Microsoft this year. To say that all Microsoft products are affected and everything is affected critically is not an overstatement. It’s difficult to prioritize one or two because all the bulletins likely need your attention this Patch Tuesday.

While there may be speculation the extensive release is due to Microsoft’s bug bounty program, I think that’s unlikely. Since the announcement of the program took most security researchers by surprise, it will likely be a few months before we really see the effects of the program. That said, I do expect to see the number of bulletins Microsoft issues increase over the second half of this year. Microsoft has long resisted implementing a bug bounty program, which other vendors have found success with. The start of the program will likely increase the number of bulletins we see over time, but in the long run, will ensure that Microsoft products are more secure. It will also help motivate researchers to improve their disclosure with Microsoft over other sources that purchase vulnerabilities, which includes bad guys. This ensures Microsoft will be aware of vulnerabilities more quickly and we won’t see as many bugs being exploited in the wild before Microsoft is ready to release a patch.

All six of the critical bulletins this month are remote code execution vulnerabilities, which I find concerning. Since these types of vulnerabilities give attackers access to your machine without needing physical access or sometimes even a password, it’s definitely a cause for concern.

MS13-052, MS13-053, MS13-054 and MS13-057 affect most versions of Windows, including current operating systems Windows 8 and Windows RT. As I’ve said many times in the past, it’s never a good thing to see the current code base impacted, as that’s supposed to be the most secure version available. They also affect most recent versions of Windows Server.

MS13-053 should be your top priority this month. This is the vulnerability that was publicly disclosed by Google researcher Tavis Ormandy a few months ago. Thanks to that irresponsible disclosure, it is under limited active attack. Though it’s impossible to know for sure, it is my contention that we would not being seeing any active attacks with this vulnerability had principles of responsible disclosure been followed. In addition, Microsoft has identified a secondary attack vector through a remote code execution, which is also being patched by MS13-053. This secondary vector is not under active attack, fortunately.

MS13-052 and MS13-054 are interesting because they also affect programs outside of the operating system. MS13-052 affects Microsoft Silverlight 5 and MS13-054 affects Microsoft Office, Microsoft Visual Studio and Microsoft Lync (though only Lync is critically affected). It would be my guess that these programs are the vector for the attack. The remote code execution might be done through convincing a user to access a malicious file within one of these programs. These are related to a vulnerability in GDI+, which spans multiple programs, which is why these bulletins have such a far reach effect.

MS13-055 is another Internet Explorer issue, which we’ve seen quite a bit over the last few months. I caution you to upgrade to the latest version of Internet Explorer, since that’s typically the most secure version. As to this vulnerability, it would be my assumption that this is another phishing-style vulnerability. An attacker would have to trick a user to navigating to a malicious webpage within IE before the RCE could be completed.  This should be your other top priority for the month, with so many CVEs involved in this bulletin.

MS13-056 and MS13-057 are very similar to MS13-053, though MS13-056 does not affect Windows RT. I would guess that these are also kernel mode drivers or similar issues within the operating systems, though it’s great to see that it doesn’t impact Windows RT.

MS13-058 is the sole important bulletin in this batch. It’s an elevation of privilege issue affecting Windows Defender, which is Microsoft’s built-in security system. While it’s less worrisome than the other bulletins because it’s ranked important, it is still concerning in that it directly impacts the security system for the machine. Windows Defender is also free software, making it very widely used. If an attacker got in as a low-rights user and then used this bulletin to up their privilege level to admin, the impact would in fact be critical. I would rank this high in the priority list for that reason.

Microsoft has also issued a security advisory this month with a Flash update and they’ve announced a new policy regarding the Windows app store.  In order to help protect customers, when vulnerabilities in applications are reported, developers now have 180 days to submit updates to the applications. Updates will come through the Windows app store, which helps ensure that the updates applied are not malicious either. You may recall a proof of concept app from Duo Security that came out a few years ago. Google has since fixed the vulnerability that allowed malicious updates to be installed, but I’m glad to see Microsoft is not venturing down that same road and is instead going with a secure model for updating applications.


Oracle Java JRE Content

»      Oracle Java JRE 1.7.0_25 for Window

Adobe Security Content

»      Adobe APSB13-16 AIR for Windows

»      Adobe APSB13-16 Flash Player for Windows

»      Adobe APSB13-16 Flash Player 11.7.700.224 for Window

Firefox Security Content

»      Mozilla Firefox 22.0 for Windows

»      Mozilla Firefox ESR 17.0.7 for Windows


Mac OS X:

Oracle Java JRE Content

»      Oracle Java JRE 1.7.0_25 for Mac OS X

Adobe Security Content

»      Adobe APSB13-16 Flash Player for Mac OS X

»      Adobe APSB13-16 Flash Player 11.7.700.225 for Mac OS X

Apple Security Content

»      Apple 2013-06-18 Java for OS X 2013-004

»      Apple 2013-06-04 Mac OS X 10.8.4

»      Apple 2013-06-04 Security Update 2013-002

»      Apple 2013-06-04 Safari Update 6.0.5

Firefox Security Content

»      Mozilla Firefox 22.0 for Mac OS X

»      Mozilla Firefox ESR 17.0.7 for Mac OS X


CentOS:  74 bulletins released

HP-UX:  5 bulletins released

Novell SUSE Linux:  86 bulletins released

Oracle Linux:  105 bulletins released

Oracle Solaris:  62 bulletins released

Red Hat Linux:  76 bulletins released

One thought on “Nothing Pretty About Fireworks Delivered From Microsoft This Patch Tuesday

Comments are closed.