Microsoft Patch Tuesday: March 2013

With this month’s Microsoft Patch Tuesday update, we see a set of seven updates, four of which are marked as “Critical,” addressing serious problems that could enable someone to access your computer if they are not patched. The remaining three are rated as “Important,” and, while they aren’t as serious as the critical patches, they do address security issues that need to be fixed. Most of the seven patches affect Microsoft Office, with only two impacting Windows.

One of the biggest issues for this Patch Tuesday release relates to the critical update for Internet Explorer (MS13-021), which resolves nine serious vulnerabilities. These vulnerabilities and the subsequent Microsoft Update affect Internet Explorer versions 6, 7, 8, 9 across Microsoft’s XP, Vista, Windows 7, and Windows 8 and Windows 8 RT. Interestingly, and probably relevant for some enterprises, is that this patch does not affect IE10 on Windows 7 (with SP1).  Neither does this update affect Windows Server 2008 and Server 2012.

On a more interesting but slightly less important note, the Microsoft update to Adobe Flash is more of a policy change than a response to a direct vulnerability. In the past (last week), Microsoft maintained a curated list (or White List) of websites containing Adobe Flash content that appeared to work well with Microsoft browsers. This was probably a sensible approach a few years ago, when the number of Flash sites that misbehaved was quite high, and subsequently caused a number of issues on modern browsers. Now, with this update, Flash is enabled by default, and the Microsoft Compatibility View (CV) list is a “Black List” that blocks known Flash sites and content with compatibility or performance issues.   Rob Mauceri, Group Program Manager for Internet Explorer says in the IE Blog,

“Looking at our engineering experience with Flash and Windows 8 and RT, as developers improve their Flash content, the vast majority of sites with Flash content that we have tested are now compatible with the Windows experience goals. Of the thousands of domains tested for Flash compatibility to date, we have found fewer than 4 percent are still incompatible, in the most part because the core site experience requires other ActiveX controls in addition to Flash.”

This is a big change and is sure to be seen as a competitive advantage for Microsoft on their tablet platforms, when compared with the lack of Flash support on Apple’s iPad.

The Dell Patch Impact team has found that a significant number of applications in our test application portfolio for two patches in this Microsoft Update (MS13-023 and MS13-025) either contain or have direct dependencies on components changed in these two updates. As far as the impact of these warnings, it is likely that internally developed (or Line of Business) applications need to be tested prior to the release of these updates.

Of the seven patches, two "require a restart to load correctly,” three "may require a restart," and two do not need a restart. So, it’s probably best to assume that all require a restart to be installed correctly. 

Details of the four “Critical” updates include:

  • MS13-021 is a cumulative security update for Internet Explorer that resolves eight privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-022 resolves a privately reported vulnerability in Microsoft Silverlight. The vulnerability could allow remote code execution if an attacker hosts a website containing a specially crafted Silverlight application that could exploit this vulnerability, and then convinces a user to view the website. The attacker could also take advantage of compromised websites and those that accept or host user-provided content or advertisements. Such websites could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit a website. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email or Instant Messenger message that takes them to the attacker's website. It could also be possible to display specially crafted web content by using banner advertisements or other methods to deliver web content to affected systems.
  • MS13-023 resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-024 resolves four privately reported vulnerabilities in Microsoft SharePoint and Microsoft SharePoint Foundation. The most severe vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted SharePoint site.

Details of the three “Important” updates include:

  • MS13-025 resolves a privately reported vulnerability in Microsoft OneNote. The vulnerability could allow information disclosure if an attacker convinces a user to open a specially crafted OneNote file.
  • MS13-026 resolves one privately reported vulnerability in Microsoft Office for Mac. The vulnerability could allow information disclosure if a user opens a specially crafted email message.
  • MS13-027 resolves three privately reported vulnerabilities in Microsoft Windows. These vulnerabilities could allow elevation of privilege if an attacker gains access to a system.

This article is published as part of the IDG Contributor Network. Want to Join?

Join the discussion
Be the first to comment on this article. Our Commenting Policies