March 2013 Patch Tuesday preview

Critical vulnerabilities can be exploited without user interaction; important vulnerabilities can only be exploited with user interaction. Bulletins 1, 2 and 3 all involve critical vulnerabilities that can lead to remote code execution (RCE) and should therefore be treated seriously. 

Bulletin 1 should probably be given top priority since it affects all versions of Internet Explorer, including the latest, across all operating systems, including the latest. Although, comments Paul Henry, security and forensic analyst at Lumension, “this issues has no known attacks in the wild... you should still plan to patch this immediately.” Ziv Mador, director of security research at Trustwave, suggests “this will probably be a use after free vulnerability; we’ve seen a lot of those lately, and they impact a lot of stuff and often result in RCE.”

“Bulletin 2,” says Henry, “will likely have more of an impact on consumers than business users, as it only affects the Microsoft Silverlight plug-in.” He points out that plug-ins should be kept as up-to-date as possible as they are frequently attacked – and should be avoided if possible. Some users won’t even realize they have Silverlight installed, but, warns Wolfgang Kandek, CSO at Qualys, it “is widely installed at least on end-user workstations to run media applications, for example Netflix.”

Bulletin 3 is back to business users, affecting MS Visio Viewer and the Microsoft Office Filter Pack. Kandek is puzzled by the high rating given to the vulnerability, and says, “It will be interesting to see the attack vector for this vulnerability that warrants the ‘critical’ rating.” Bulletin 6 has only an ‘important’ rating and affects Office for Mac 2008 and 2011. “If I was a betting man,” comments Mador, “I might say it could be related to Bulletin 3 in Visio – we will have to wait until Tuesday to find out.”

Bulletin 4 involves the last of the critical vulnerabilities and is an elevation of privilege issue in Sharepoint. “We’ve seen a few of these over the last several months,” comments Lumension’s Henry. “This one in particular could allow an attacker to elevate from an anonymous user to ownership of the SharePoint site, which could be very damaging. Fortunately, this is not under active attack. However, I would rank this as your second priority if you’re using SharePoint.”

Bulletins 5, 6 and 7 are rated as ‘important’. Bulletins 5 and 6 are information disclosure issues in Office. Although generally considered to be less important than privilege escalation issues, Henry warns that if exploited, the information acquired could be “used in supplement to a phishing attack.”

Bulletin 7 is another privilege escalation issue. “I would rank this as your top priority ‘important’ issue this month,” says Henry, “because of its far-reaching effect on all current Windows platforms.”

It’s not a huge number of bulletins this month, but it’s still going to be a busy time for admins. “My concern in reviewing these updates,” summarizes Alex Horan, senior product manager at CORE Security, “isn’t so much centered around the critical nature of the vulnerability, but rather the number of end-user patches that are required to shore them up. These patches can be a hassle for users to deploy and have the potential to create a long enough delay where hackers can take advantage.” It is that latency between the issue of a patch and the deployment of the patch that can often provide a window of opportunity for the bad guys.

What’s hot on Infosecurity Magazine?