Patch Tuesday leaves Internet Explorer zero day untouched
It’s Patch Tuesday time again. This month Microsoft has unleashed nine new security bulletins. Nine is a reasonably high number of updates, however, only two of them are rated as Critical. So, it’s actually a little more laid back than most months, but there’s still cause for concern.
There are seven security bulletins rated as Important, which affect a range of platforms and services including Active Directory, the Windows antimalware client, and the Windows Kernel. The two Critical security bulletins apply to Internet Explorer and Remote Desktop. Be prepared—most of the patches require a reboot.
Wolfgang Kandek, CTO of Qualys, suggests that IT admins focus on Internet Explorer first. “This month, the most important bulletin to apply to your infrastructure is MS13-028, which contains a new release of Internet Explorer (IE) covering all versions of the browser starting with IE6 going to IE10, and also including Windows RT, the operating system for mobile devices and tablets.”
Andrew Storms, director of security operations for nCircle (a Tripwire company), agrees that Internet Explorer deserves attention, but adds that Internet Explorer lacks its usual “patch immediately” urgency. Microsoft has assigned the underlying IE flaws with an exploit index rating of two, which indicates that Microsoft believes they are exceptionally difficult to exploit, and there’s not likely to be a successful exploit in the next 30 days.
It’s not all sunshine and roses, though, according to Marc Maiffret, CTO of BeyondTrust. First, he notes that the flaws addressed in the Internet Explorer update affect all supported versions of Internet Explorer, and warns that attackers will be working diligently to develop an exploit with such a large pool of potential targets.
Maiffret also points out that the Microsoft update does not address a recently-discovered vulnerability in Internet Explorer 9, which could enable an attacker to bypass security controls and execute additional exploits.
As always, all relevant patches should be applied as soon as possible. Once a patch is released, attackers can reverse-engineer it to figure out how the vulnerability works and develop an exploit for it. It’s a race to get your PCs patched before attackers craft an exploit, and the reality is that most malware attacks use exploits against known vulnerabilities for which patches have already been developed.
Consumers and small businesses should have Automatic Updates enabled. Businesses that need to test and validate patches before deploying them should get to work.
As an aside, Adobe also released updates today for ColdFusion, Flash Player, and Shockwave Player.