This month, Microsoft is planning for 7 bulletins, of which 5 are critical and 2 are important. The software giant released its advance notification for Patch Tuesday a few minutes ago. Two patch management experts have sent me their early analysis. Here it is, in full:
Paul Henry, Lumension:
This month, there are 7 bulletins, of which 5 are critical and 2 are important. Fortunately, none are currently under active attack, so that should set IT’s mind at ease as they begin to apply this set of patches.
Since 2012 is coming to an end, let’s start off with a quick look at the numbers year-over-year. In 2011, Microsoft had 100 bulletins for the calendar year, of which 34 were critical, 63 important and 3 moderate. In 2012, they reduced the number of bulletins by close to 20 percent, coming in at 83 bulletins for the year, of which 35 were critical, 46 important and 2 moderate. It’s great to see that Microsoft’s Secure Coding Initiative is paying off, reducing the number of vulnerabilities in their software, resulting in an easier time for IT at Patch Tuesday time.
Another trend that’s interesting to note is Microsoft’s consistency. When you look at the numbers in-depth, you can see that in 2011, there was a bit of yo-yo’ing going on with Patch Tuesday. For example, in January, there were 2 bulletins, while February had 12. March then went back down to 3, but April went up to 17, while May went down to 2 and June back up to 16. IT might have felt like they had whiplash by the end of the year! In contrast, January of this year had 7, slight increase to 9 in February, then 6 in both March and April, and 7 in both May and June. In fact, only one month – September, at 3 – was lower than 6 or higher than 9. The degree of consistency makes it easier for IT to plan out the time and effort they’ll need to spend on Patch Tuesday each month.
Now, onto this month’s bulletins! The most important bulletin is Bulletin 1, affecting IE 9 and IE 10. It’s a critical severity rating. These are use-after-free issues. They affect only components that were introduced in IE9, which is interesting, because it means that it affects IE 9 and IE 10 and the downlevel platforms don’t really have the components. Microsoft has done some defense in depth hardening for those platforms to address these issues. However, because those platforms don’t have the affected components, they were not given a severity ranking.
The next priority is Bulletin 3, which is a Microsoft Word remote code execution vulnerability. While typical Word vulnerabilities are ranked important, this is ranked critical. Similar to a bulletin issued a few months ago, there’s an issue with RTF formatted data that can be parsed in the Outlook Preview Pane, executing the vulnerability. Because of that parsing, this will be very important to apply quickly.
Next, Bulletin 2 is a kernel mode drivers issue, ranked critical. Similar to a bulletin last month, this affects True Type and Open Type parsing. However, because executing on this vulnerability would be time consuming and difficult, this is less important than the Word and IE issues.
Bulletin 4 is an Exchange vulnerability involving a remote code execution. A few months ago, Microsoft addressed Oracle Outside In vulnerabilities for the first time. This is a similar update addressing the recent Oracle update to Outside In. There’s never been an active attack on this, but it’s an important component, so it’s good to see Microsoft performing their due diligence here.
Then we have Bulletin 5, a remote code execution issue in the Windows file handling component, affecting Windows XP through Windows 7. Fortunately, Windows 8 is not affected here. Essentially, when Windows Explorer parses a file name, it hits this vulnerability.
Bulletin 6 affects a vulnerability in Direct Play, affecting all versions of Windows from XP through Windows 8. As we said last month, Windows 8 is unfortunately not perfect, security-wise, and we can expect updates for that operating system to become more common in 2013. If you use Direct Play to parse content in Office documents or things embedded in Office documents, this vulnerability will come into play. The Office documents will act as a vector, but it is a Windows level vulnerability.
Finally, Bulletin 7 is a vulnerability in IP HTTPS, which is a component in Direct Access. Direct Access is a common VPN authentication solution that checks corporate credentials when you log in to ensure they have not been revoked or expired. Essentially, this is a bug that doesn’t honor the revocation of time stamp, as you might see for corporate credentials after an employee leaves a company. This vulnerability would allow someone with a revoked certificate to log in and access corporate assets. This is ranked important if you use Direct Access.
Alex Horan, senior product manager, CORE Security:
Bulletin 1. Appears to Target IE6, 7, 8, 9 and 10 marked as critical for Vista, Windows 7, Server 2008 R2, Windows 8 and Windows RT (moderate for Server 2008 & 2008 R2, 2012). This is a good one, a client side for Windows 7 and 8. A very attractive exploit to attackers to have.
Bulletin 2. This may be a network or local exploit that is marked as Critical for XP SP3, Windows 2003 SP2, Vista Sp2, Server 2008 SP2, Windows 7 SP0 & SP1, server 2008 R2 SP0 & SP1, Windows 8, Windows RT. Man, this is really the entire Windows family! They don’t say if this is a vulnerability on those systems that could be attacked over the network or if you need to be able to run code locally, but having an exploit that would potentially work against a wide range of windows systems is a great utility to have in your bag.
Bulletin 3. Rated as Important for Word 2003 SP3 and critical for Word 2007 SP2 & 3 and Word 2010 SP1. This is classic client side fodder, send an email with a job offer attached, or the new 401k plan attached and get control of a user’s machine, plus if you exploit Bulletin 2, you get control of everything.
Bulletin 4. Wowser! A Critical vulnerability in Exchange 2007 SP3 and 2010 SP1&2 – internet facing servers with a Remote Code Execution vulnerability, and email servers. You don’t just randomly turn off email serves without generating howls of protest from your company to fix this one. This is my number one vulnerability in the bunch.
Bulletin 5. Critical for Windows XP SP3, Server 2003 SP2, Vista SP2, Server 2008 SP2, Windows 7 SP0 and 1, Windows 2008 SP0&1. If they had added Windows 8 then this would have been my new favorite, still that list represents a large percentage of the Microsoft operating systems that are installed out there.
Bulletin 6. Well, after the rest, an important vulnerability for Windows XP, Vista, 7, 8 and server 2003, 2008, 2012, it just doesn’t get a rise out of me. Given the other vulnerabilities are rated as critical, this one will get a pass from security researches, they are going to feast on the first five bulletins of goodness.
Bulletin 7. It is not really clear what they bypass is, but as it only affects Windows server 2008 and 2012 this again is a lower ranked issue – though I expect people who will be quite curious about what the bypass is, as where there is one bypass there may be others.