Microsoft patches Pwn2Own & IE8 'nuke' critical holes

It's Patch Tuesday again and Microsoft worked to quickly resolve the zero-day exploiting IE8 in watering hole attacks and the vulnerabilities exploited at Pwn2Own.

Ladies and gentlemen, start your engines, but be ready to reboot as Microsoft released 10 security bulletins to patch 33 vulnerabilities that are listed as critical or important. That may make your eye twitch, such as if you were trapped in a boot loop last month due to a bad Microsoft patch, so get ready to find some "extra" time to test the patches on corporate machines before deploying.

"In light of the reboot loop problems resulting from the Microsoft patches issued in April, businesses need to have the ability to test patches, or have a trusted third-party test them, before deploying on corporate networks and PCs, in order to minimize potential downtime caused by a faulty patch," advised Cristian Florian, product manager at GFI Software. The patches need to be deployed as soon as possible, as "They will remove some vulnerabilities that could be exploited to gain backdoor access to an organization's network."

One of the critical security updates, MS13-037, patches 11 privately reported vulnerabilities in Internet Explorer, including the exploit of IE 10 on Windows 8 at Pwn2Own 2013. The security firm Vupen used two zero-day vulnerabilities to compromise the Surface Pro tablet and bypassed the sandbox to achieve medium integrity code execution. Vupen, which has been criticized for selling zero-day exploits to governments, tweeted:

Although Microsoft previously released a "Fix it" after a zero-vulnerability exploited IE8 for watering hole attacks aimed at Department of Energy (DOE) employees who worked with nukes, the Redmond giant worked night and day to get a patch ready. Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing said, "Our engineers worked around the clock to prepare and test MS13-038, which will help keep customers safe by permanently addressing the Internet Explorer 8 issue. We recommend prioritizing this bulletin, along with MS13-037 and MS13-039, and updating your systems as soon as possible."

In all, this May 2013 Patch Tuesday will resolve a plethora of security problems such as Remote Code Execution, Denial of Service, Spoofing, Information Disclosure and Elevation of Privilege.

Microsoft also has changed the way in which it communicates the technical details within security advisories. Enterprise customers "will be able to clearly identify key security updates" such as whether the patch will be light and require only wine, or intense and require at least a double-shot of whiskey. Just joking, relax. Actually, Microsoft explained:

This change allows for the following:

  • We can more accurately classify security bulletin updates that do not have an "MSRC Severity" rating assigned. For example, MS13-038: Security update for Internet Explorer 9: May 14, 2013 does not have a severity rating assigned. Going forward, the "MSRC Severity" rating will be classified as "Unassigned" instead of as "Critical update," although the bulletin severity is "Critical update."
  • We can correctly classify security advisory updates that do not relate to a vulnerability in Microsoft code but do have security implications.

For these kinds of security issues, customers can expect to see the "MSRC Severity" rating set to "Unassigned."

Other Microsoft tidbits: Blue is Windows 8.1 & chat with Gmail friends from Outlook

At the JP Morgan Technology, Media and Telecom Conference, Microsoft's Tami Reller announced that Windows Blue is officially named Windows 8.1 and "will be a free update to Windows 8 for consumers through the Windows Store." Starting on June 26, Windows 8 and RT device users will be able to download the public 8.1 update preview.

Microsoft is also rolling out cool changes to that will allow users "to chat with friends stuck on Gmail." The Outlook blog reported, "When you open the Messaging pane in or SkyDrive, you'll see a message that helps you set up chat with your Google contacts. Just click it to get started; setup will only take a minute."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline