Patch Tuesday: Fixes 4 critical flaws, 8 remote code execution vulnerabilities

Happy patching!

Microsoft released 13 security bulletins, four rated critical, with the suggested deployment priority starting with MS13-068 for Outlook, MS13-069 for every supported version of Internet Explorer, and MS13-067 for SharePoint. MS13-070 is also rated critical and is one of eight patches to close remote code execution vulnerabilities.

MS13-068 should patch a "memory corruption vulnerability accessible by simply previewing a message in the Outlook Preview Pane." Dustin Childs, group manager, Microsoft Trustworthy Computing, released this statement:

While the Outlook bulletin is certainly one to pay attention to, building a reliable exploit for this issue won't be easy. Still, we've listed this update as one of our highest priorities for this month and encourage customers to deploy the bulletins to help ensure protection.

Conversely, Wolfgang Kandek, CTO of Qualys, told Computerworld that he predicts the Outlook flaw will be "extremely dangerous." He said, "Past patterns in critical Office vulnerabilities have always been through the preview pane. It is pretty much the only way to get into Outlook without user interaction, which is Microsoft's criteria for a critical rating."

Seven of the security updates this month address vulnerabilities in Office.

Based on the fact that Microsoft has released Internet Explorer security updates for 11 months in a row, Andrew Storms, director of DevOps at CloudPassage, said, "I expect we'll see IE updates every month from now on." That puts Microsoft's browser on a similar and more frequent patch schedule like Chrome and Firefox.

Additionally, Microsoft said it was "revising Security Advisory 2755801" to provide the latest update for Adobe Flash Player in IE "on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11." The company noted that the update for Windows RT is only available via Windows Update.

Last month, Microsoft had to pull three security updates after receiving reports that they caused functionality issues with Windows Server Active Directory Federation Services (ADFS). Hopefully there will be no issues this month other than plan on rebooting.

Happy patching!

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Copyright © 2013 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.