Urgent fixes for Patch Tuesday's 10th anniversary

On this 10th anniversary of Patch Tuesday, Microsoft has released eight updates, four rated as Critical and the remaining four rated as Important. Microsoft first announced a monthly patch cycle at the inaugural session of the Microsoft Worldwide Partner Conference in 2003 – when Windows 2000 was still around and a major security concern. Viruses were transmitted over the still-young Internet, and Worms propagated almost unhindered across large corporations. In the beginning, Microsoft released patches and security updates on an ad-hoc basis, sometimes with long delays between a reported vulnerability and a fix or patch, instead of a schedule for patches and fixes that organizations could plan and schedule into their operational activities. Tuning into this problem, Steve Ballmer said at the WPC conference,

That predictability is something you and our customers have highlighted to us we need to do, because people are feeling like they have to drop everything and deploy every patch at all times.

In addition, to a scheduled patch cycle, Microsoft also introduced the Delta-Patch technology, which, at the time, helped Windows users reduce modem-driven patch download times by up to 80 percent. This technology has now been re-branded as the Microsoft Binary Delta Compression Technology, and is still used today to deliver updates and patches to modern platforms such as Windows 7 and Windows 8.

Back to October’s patches, the most urgent Critical patch is MS13-080, which updates Microsoft 's Internet Explorer (IE) in an attempt to resolve one publicly reported and nine privately reported vulnerabilities that could allow an attacker to gain complete control over a compromised machine. Even if this attack fails, it will crash or "freeze" the target machine and create a Denial-of-Service (DOS) scenario. This update affects all 32- and 64-bit Microsoft desktop and server platforms, except (oddly enough) Windows 7 SP1. Given the nature of this update and the criticality of this vulnerability, this is a “Patch Now!” update.

The next update is MS13-081, which addresses another Remote Code Execution vulnerability in Windows Kernel Mode Drivers. This update attempts to resolve seven privately reported vulnerabilities. As we have seen before, this problem relates to how OpenType and TrueType fonts are processed in memory on Windows platforms. With this low-level system-wide vulnerability, an attacker could gain full control to the target system, and at this point, Microsoft has not released any mitigating factors or workarounds. This one looks like a “Patch Next!” update.

The next Critical update, MS13-082, is also a Remote Code Execution-related vulnerability addressing one publicly reported and two privately reported vulnerabilities that again deal with OpenType fonts in the Microsoft .NET framework. In particular, this vulnerability relates to how .NET instantiates XBAP applications. XBAP are described by Microsoft Developer Network (MSDN) website as,

XAML browser applications (XBAPs) combines features of both Web applications and rich-client applications. Like Web applications, XBAPs can be deployed to a Web server and started from Internet Explorer or Firefox. Like rich-client applications, XBAPs can take advantage of the capabilities of WPF. Developing XBAPs is also similar to rich-client development.

When dealing with XBAP applications, this patch also resolves issues with OpenType fonts, XML digital signatures, and document-type definitions in JSON data encodings.

The fourth Critical update for this month is MS13-082, AND it is yet another remote code execution vulnerability that occurs if an attacker sends a specially crafted web request to an ASP.NET web application running on an affected platform. It’s crucial to note that Microsoft has not offered any mitigating factors or workarounds for this issue. This update only affects 64-bit platforms and deals with a pretty core Windows system file: COMCTL32.DLL.

If you have been in the desktop and server management industry for a while, you will be very familiar with this particular system file as it holds most of the code for common items in Windows, such as dialog boxes, radio buttons, text boxes, and other graphical operating system infrastructure. Because Microsoft has not offered any workarounds for this security issue, this update requires a priority testing and deployment effort.

The final four patches for October are rated as Important and deal with security issues within Microsoft 's SharePoint, Excel and Word that may lead to Remote Code Execution scenarios and a potential information disclosure in Silverlight.

This article is published as part of the IDG Contributor Network. Want to Join?

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.