We are back at it again with 10 updates in Microsoft's May edition of Patch Tuesday. Two are rated Critical, with the remaining eight rated as Important. This month's Patch Tuesday is really a story of a few steps forward followed by a step back, after the release of a seriously flawed patch released in last month's April Patch Tuesday update, which caused Microsoft to revoke, and then subsequently re-release the update.
If you had been quick to release your April Patch Tuesday patches and update your client machines and servers, your Wednesday may have been “less happy.” Unfortunately, the April batch of Patch Tuesday updates included Microsoft Patch MS13-036, which attempted to address a security vulnerability that, in Microsoft's terms:
“resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application."
This patch MS13-036 was rated as Important, and, unfortunately, caused a significant number of machines to crash or fail to restart after the update had installed.
So, that was last month. What about this month? Well, the two updates (MS13-037 and MS13-038) that are rated as Critical deal with serious bugs with Internet Explorer (IE). All of these IE bug-fixes included in these two patches relate to "Remote Code Execution," which could result in an Elevation of Privilege scenario defined by Microsoft in its MSDN technical references as:
"Elevation of privilege results from giving an attacker authorization permissions beyond those initially granted. For example, an attacker with a privilege set of "read only" permissions somehow elevates the set to include "read and write."
Crucially, a number of these IE bugs are rated as Category 1 on Microsoft's exploitability index, which means that an attacker would find it relative easy to use one of these bugs to compromise a client's machine. Microsoft introduced an updated version of their exploitability index in late 2011, and it's a useful tool for judging how easy it to use a Microsoft security vulnerability for malicious purposes.
Microsoft rates the severity or the ease of "exploit" with the following categories:
- Exploit Likely
- Exploit code would be difficult to build (i.e. tough to build a tool to automate this exploit)
- Exploit code unlikely
So, my recommendation here is to get a move on and patch these two updates for IE, as patches MS13-037 and MS13-038 carry the most severe rating of 1 - meaning that these vulnerabilities are very likely to be exploited in the wild.
Of the remaining eight security patches in this May Patch Tuesday release, the next most important is the “updated” update to MS13-036, which caused the previous month’s problems and now has been re-released as MS13-046 (Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege).
You have to worry about this a little, as Microsoft has been trying to fix this issue for quite a while now. There are a number of related updates, including the following:MS13-016, MS12-055, MS12-078, MS12-075, MS12-055, MS12-047, MS12-041, MS12-018, MS12-008, MS11-032, MS11-084, MS11-077 and MS11-054. I stopped digging after a few years, but I can guarantee that you have not heard the last of this particular vulnerability and associated fix ─ not for a while yet.
On a slightly different note, however, a recent study was conducted to determine which browser is the safest, and most secure. There are a number of browser providers, including Microsoft's IE, Google Chrome and Firefox. Microsoft IE 10 won the contest, blocking 99.96 percent of known malicious downloads with its new CAMP (context agnostic malware protection) technology. Nice one, Microsoft.
This article is published as part of the IDG Contributor Network. Want to Join?