In addition to covering Windows and Internet Explorer, Microsoft’s latest monthly batch of patches covers the widely used Exchange Server, both the Exchange Server 2007 and Exchange Server 2010 editions.
“Microsoft delivered a monster sized patch this month … It’s enough to make your head spin,” wrote Andrew Storms, director of security operations for security firm nCircle, in an email.
Overall, Microsoft issued 12 security updates, covering 57 vulnerabilities, one of the largest sets of security updates the company has ever released.
Microsoft tagged five of the 12 updates as critical, and labelled the remaining seven as important.
System administrators overseeing Microsoft Exchange deployments should take a close look at Microsoft’s latest round of security patches.
Patch IE first
NCircle advises that organizations apply the two critical Internet Explorer patches first. “Both of these remote execution bugs are serious security risks, so patch all of them and patch them fast,” Storms wrote. The two critical patches cover versions 6 through 10 of the browser.
“Both bulletins fix ‘drive-by bugs’ that only require the victim to browse a website to become infected with malicious code,” Storms wrote.
Microsoft Security Bulletin MS13-010 describes a vulnerability in Internet Explorer’s implementation of the Vector Markup Language (VML) that could allow for remote code execution. This vulnerability has already been used in one attack, and more attacks are expected within the next 30 days, according to Microsoft.
Also directed at Internet Explorer, MS13-009 describes 13 different vulnerabilities that are grouped together in one update because they are found in overlapping sections of the browser’s code base. Microsoft expects these vulnerabilities to be exploited within the next 30 days as well.
NCircle also advised that, in addition to patching Explorer, administrators should apply patches that Adobe released Tuesday for Flash and, if used, Shockwave.
“If you only have time to do the absolute minimum, you should patch Internet Explorer and Flash immediately,” Storms wrote.
Windows updates
Windows has two critical updates. For Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008, MS13-011 addresses a critical vulnerability in the Windows Media Player that would allow code embedded in a media file to execute when the file is decompressed by the software. And for Windows XP SP3, MS13-020 also describes a vulnerability that could lead to remote code execution, one that would occur if the user were to open, in either Microsoft Word or Wordpad, an RTF (Rich Text Format Document) with a secretly embedded ActiveX control.
Microsoft Exchange update
Microsoft Exchange is the focus of the fifth critical update.
While Windows and Explorer are updated pretty much every month, the appearance of an Exchange vulnerability is somewhat more rare. Microsoft bulletin MS13-012 explains the Exchange vulnerability. Attackers could compromise a deployment of Microsoft Exchange by having a user of Outlook Web Access click on a maliciously crafted attachment. The vulnerability actually stems from a library supplied by Oracle, called Oracle Outside In, that converts files in various formats so they can be viewed in the browser. Clicking on the attachment could trigger embedded code to execute on the server.
Of the seven “important” updates, two are for Windows Servers, one is for Windows desktop editions and two are for either the server or the desktop edition of Windows. One important update is for the .Net framework, and one is for the Fast Search server portion of SharePoint.
NCircle directed users of the VMware ESXi hypervisor to take a close look at MS13-014, which describes how NFS (Network File Server) operations running under Windows Server 2008 R2 and Windows Server 2012 could be vulnerable to a denial-of-service attack. “This has the potential to inadvertently wreak havoc on your virtual infrastructure if everything is mounted using Windows NFS shares,” wrote Tyler Reguly, nCircle technical manager of security research and development, in an email statement.
Microsoft routinely releases security patches for its software on the second Tuesday of each month. The predictability of patch Tuesday, as it is often called, allows administrators to set aside time to update their systems. As with any updates to critical IT systems, administrators are encouraged to apply the updates in a test environment to check for unanticipated interactions with hardware or other software. All of the updates in this month’s batch may require restarting the system.
The security updates will be available at the Microsoft Download Center, through WSUS (Windows Server Update Services), and, for consumers, through the Windows Update process.