Patch Tuesday Preview: October 2013

Bulletin #1 is almost certainly to fix vulnerability CVE-2013-3893, the zero-day vulnerability for which Microsoft issued an emergency Fix it little more than two weeks ago. Since this was already being used by APT actors then, and an exploit has now been added to Metasploit and is available to any criminal that wishes to use it, this patch should be treated with the greatest urgency.

"I'm glad to see they’ve finally addressed the IE flaw which has been known and exploited for months now," comments Chris Merritt at Lumension. "This is a particularly worrisome vulnerability, despite the work-around offered by Microsoft, which impacts all supported versions of IE 6 thru 11."

"This is definitely where I would focus my patching efforts," adds Ross Barrett, senior manager of security engineering at Rapid7, Note, however, that this patch will require a reboot, so admins will need to plan for its use.Bulletins #2 and #4 will also require restarts, while Bulletins #3 an #5, #6 and #7 may require a restart. Only Bulletin #8 will not do so.

Bulletins #2, #3, and #4 are marked critical and affect all versions from XP to Windows 8, including  RT. These vulnerabilities involve remote code execution (RCE) potential (in fact, only Bulletin #8 – relating to an information disclosure problem with Silverlight – does not do so). Writing in Naked Security, Paul Ducklin of Sophos explains, An RCE is "where an outsider can send you something that isn't suppose to cause a silent download - like a document or a web page - and infect you with malware, without so much as an 'Are you sure?' dialog, even if all you do is look at it."

The combination of a 'critical' label with RCE potential would suggest that Bulletins #1 to #4 should be applied with the greatest urgency – or in Microsoft's own recommendation, "immediately." The remaining Bulletins are marked 'important', and should – according to Microsoft – be applied "at the earliest opportunity."

Bulletin #5 catches the attention of Tyler Reguly, technical manager of security research and development:at Tripwire. "Once again," he notes, "the behemoth of SharePoint is on the list. At this point, given how vulnerable SharePoint has been lately and how difficult it is to patch, you have to wonder if it still provides value over similar offerings."

Bulletins #6 and #7 relate to vulnerabilities in Word and Excel. "Both seem to be file-format vulnerabilities," warns Wolfgang Kandek, CTO at Qualys, "that provide remote code execution when a file is opened. They should be high on your list of patches as attackers frequently use these vulnerabilities in attachments to well written e-mails that often get opened by the addressed parties."

By common consensus, Bulletin #8 addressing an information disclosure vulnerability in Silverlight, is the least urgent; but still needs to be addressed a soon as possible.

Finally it is worth mentioning that October's Patch Tuesday marks the tenth anniversary of what has become a model of patch management. This has been tarnished slightly in the last few months by what Lumension's Merritt calls a few sub-par patches. "While we hope they do better this month," he adds, "it’s important to remember to test these patches before doing a wholesale push out into your environment; that is, 'trust, but verify.'"

What’s Hot on Infosecurity Magazine?