Microsoft Patch Tuesday: April 2013

The clocks have finally sprung forward here in the UK, which gives us another hour of daylight and more time to examine the latest releases of Microsoft's Patch Tuesday security update process. With the Microsoft Security Bulletin Summary for April 2013, we see a set of nine updates, with two marked as “Critical,” and the remaining seven rated as “Important.” As usual, all of these updates will require a restart on your desktop machines.

Let’s start with the two patches rated Critical (MS13-028 and MS13-029), which deal with Microsoft's Internet Explorer (IE) and the Microsoft remote desktop protocol, RDS. Update MS13-028 attempts to resolve a possible exploit, in which a user who visits a specially crafted website may inadvertently give control to an attacker who would then have all the same privileges as that user. In addition to attempting to resolve this serious security issue, Microsoft is also bundling 11 bug-fixes into MS13-028 to resolve technical issues relating to application crashes and incorrectly rendered HTML. 

But wait, there's more. As we have repeatedly seen in the past, Adobe Flash player has proven a significant security issue for Internet Explorer and Microsoft. The Adobe Security Bulletin APSB13-11 deals with a security issue that only affects IE10 on Windows 8. I find this Adobe update a little interesting, as it's usually the case that if a security issue affects a single version of a product, it's typically the oldest version, not the latest and greatest most recent release.

The next update from Microsoft relates to the Remote Desktop Protocol, and concerns only versions 6.1 and 7.0 and, therefore, will potentially affect only Windows XP and Windows 7 desktop platforms. A potential security issue also exists for Microsoft's server platforms (Windows Server 2003, 2008 and 2008 R2), although Microsoft only rates this issue as MODERATE. The security database and website, Common Vulnerabilities and Exposures (CVE), describes the issue as:

The Remote Desktop ActiveX control in mstscax.dll in Microsoft Remote Desktop Connection Client 6.1 and 7.0 does not properly handle objects in memory, which allows remote attackers to execute arbitrary code via a web page that triggers access to a deleted object, and allows remote RDP servers to execute arbitrary code via unspecified vectors that trigger access to a deleted object, aka "RDP ActiveX Control Remote Code Execution Vulnerability.

Of the seven remaining patches, all of which Microsoft has rated as “Important,” six deal with "Elevation of Privilege," which means that an attacker may gain security privileges that he or she should not have. Microsoft defines this issue as: 

Elevation of privilege results from giving an attacker authorization permissions beyond those initially granted. For example, an attacker with a privilege set of "read only" permissions somehow elevates the set to include "read and write.

The seventh “Important” patch from the April 2013 set of Microsoft updates relates to a Denial of Service attack on Active Directory.

I found one of the patches released this April a little amusing as it relates to a security vulnerability in Microsoft's own anti-malware application. Microsoft update MS13-034 attempts to resolve a security hole in Microsoft's own anti-malware client in Windows Defender. Windows Defender is Microsoft free security, an anti-malware tool and competes directly with other "for-pay" security vendors such as Norton and Symantec. This patch only affects Windows 8 and Windows RT, and is a result of an improper pathname to the core Windows Defender executable MsMpEng.exe. 

Come on Microsoft, you shouldn’t have let this one slip through!

This article is published as part of the IDG Contributor Network. Want to Join?

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon