Today is Patch Tuesday. It also happens to be the 10-year anniversary of the montly security patch update. For October, Microsoft released eight new security bulletins—four rated as Critical and four Important. There is one in particular, though, that deserves the most urgent attention.
MS13-080—the cumulative security update for Internet Explorer—addresses a total of 10 separate vulnerabilities affecting all supported versions of the Web browser. But, the urgency for applying this update stems from the fact that two of the vulnerabilities addressed are zero-day flaws that are already being actively exploited in the wild.
“Many people have been on their toes watching the IE exploit since it first became public in mid-September,” says Andrew Storms, senior director of DevOps for CloudPassage. “Despite the exploit being used in a watering hole attack and Metasploit releasing a module for the exploit, Microsoft did not find it necessary to release the fix out of band.”
“So far these bugs are only being exploited in limited attacks, but users are still strongly encouraged to patch IE as soon as possible,” says Lamar Bailey, director of security research and development for Tripwire. “Now that a patch is available we expect to see a rise in the number of attacks using these vulnerabilities.”
Storms agrees, cautioning IT admins and users not to take Microsoft’s leisurely pace as a justification to sit on this one. “Regardless of Microsoft’s decision to not go out-of-band, users should prioritize the fix at the top of their list,” he says.
Internet Explorer doesn’t have a monopoly on the fun this month. There are two other security bulletins that follow closely behind the Internet Explorer cumulative security update in terms of urgency.
MS13-081 addresses seven vulnerabilities in kernel-mode drivers affecting all versions of Windows except for Windows 8.1, Windows RT 8.1, and Windows Server 2012 R2. Two of the flaws are related to font-parsing and could enable an attacker to remotely execute malicious code if successfully exploited.
“Both of the font vulnerabilities will be a prime target for attackers in the near future, since these types of vulnerabilities have proven to be useful in targeted attacks in the past,” says Marc Maiffret, CTO at BeyondTrust. “Administrators should deploy this patch as soon as possible.”
Ross Barrett, senior manager of security engineering at Rapid7, says that it’s important to apply the MS13-083 update as soon as possible as well. “This is a genuine article; a real, honest to goodness, potentially ‘wormable’ condition,” he says. “If the ‘bad guys’ figure out a way to automate the exploitation of this, it could spread rapidly and the defense in depth measures of your organization will be tested.”
Microsoft has released a total of 87 security bulletins so far this year. That puts them 17 ahead of last year’s pace, and if the average pace of security bulletins continues for the next couple of months it will easily put Microsoft over 100 security bulletins for the year—a dubious milestone that Microsoft has only achieved a few times. However, the number of bulletins should also be viewed from the perspective that Microsoft has stepped up the pace for addressing identified vulnerabilities, and it is patching a growing number of supported platforms and applications.
“A quick congratulations to Microsoft as their flaw remediation program officially turns 10 this month,” says Paul Henry, security and forensics analyst at Lumension. “October 2003 marked the first proactive patch issue from Microsoft, on a Wednesday to start. Patch Tuesdays started the following month and, over the last decade, has positively impacted IT’s ability to make informed decisions.”
Wolfgang Kandek, CTO of Qualys, also reflects on the anniversary of Patch Tuesday in a blog post: “Our perspective has certainly evolved from 10 years ago when Patch Tuesday was started. Back then, vulnerabilities were clear cut and straightforward to understand, today the amount of complexity that goes into the detection and remediation process is truly impressive. At the same time, attackers have shifted to client side vulnerabilities, a change that we only partly assimilated; we are good in addressing the browser vulnerabilities, but generally lag behind in other areas that will be in focus this month such as Adobe Reader and Java.”