Microsoft mega-patch closes critical IE flaws, fixes 57 vulnerabilities

Microsoft rated five patches as critical and seven as important, but advised first deploying MS13-009 and MS13-010 for IE and MS13-020 for those still using XP.

Microsoft patched a whopping 57 vulnerabilities for this February 2013 Patch Tuesday, "coming close to the all-time Patch Tuesday tally of 64 flaws, all patched with fixes in April 2011." You probably recall the critical zero-day hole in Internet Explorer 6, 7 and 8, then the IE quick-fix that was easily broken, before Microsoft issued an out-of-band security bulletin for IE on January 14. The patches today will close the critical IE holes.

Since there are two separate IE bulletins, Andrew Storms, director of security operations at nCircle, said his "Spidey senses" are on alert. "I'm sure other IT security teams are wondering exactly what kind of IE Valentine we're going to get." Storms added, "This is the first time I've seen them do this. Unless there's been an 'out-of-band' update for IE, they've never released more than one update [for the browser] in a month. I certainly expect to see an interesting blog post next week with some long, convoluted explanation."

While there is not yet a "convoluted explanation," MSRC took a detour to discuss baseball this time.The post also suggests using the free Enhanced Mitigation Experience Toolkit (EMET) for additional protection. EMET preview was released at the 2012 Black Hat security conference in Las Vegas.

Of the 12 bulletins, five are critical and seven are classed as important, but Microsoft Security Response Center advised deploying MS13-009 for IE first; it fixes 13 bugs. Another top priority is MS13-010 which is also for IE; it fixes a vulnerability in the Vector Markup Language. Microsoft said no attacks have been detected, but "the vulnerability could allow remote code execution if a user viewed a specially crafted webpage using Internet Explorer."

The other top-rated patch to deploy is MS13-020 for Microsoft XP Windows Object Linking and Embedding (OLE) Automation. Although Microsoft said it also has not detected any attacks yet, "the vulnerability could allow remote code execution if a user opens a specially crafted file. An attacker who successfully exploited the vulnerability could gain the same rights as the current owner." As a reminder, end-of-life for XP is set for April 1, 2014 and that's no April Fool's prank.

Regarding MS13-009 patch for IE, MSRC wrote:

This security update resolves thirteen issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner. The issues were privately disclosed and we have not detected any attacks or customer impact.

Additionally, the Microsoft Security Advisory 2755801 states, "Microsoft is announcing the availability of an update for Adobe Flash Player in Internet Explorer 10 on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10."

Sophos' Graham Cluley said, "If you are responsible for the security of your computer - do try to install the patches promptly."

The worry will be, of course, that malicious hackers will examine the patches released by Microsoft and attempt to release exploit code to take advantage of vulnerable computers shortly afterwards .The longer you take to update the security patches on your computer, the greater potential risk you could find yourself in. Of course, the worry is even worse for corporations - many of whom are reluctant to automatically roll-out Microsoft security patches until they are confident that they don't cause conflicts that could increase calls to the internal support department.

Happy patching!

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline