Patch Tuesday history with a touch of critical and important

For now, you may think of the regularly scheduled Patch Tuesday as lackluster – including this month’s average size release of updates – and you may be right. However, Patch Tuesday wasn’t always set to release patches on a managed schedule on the second Tuesday of every month. In fact, Patch Tuesday as we know it is nine years old this month – with the first release cycle raising a good deal of criticism and then relief from enterprise customers. Patch Tuesday is a huge success for consumers and enterprise clients alike. Even with the critics of this release cycle and the supposed Exploit Wednesday, the reality is that Microsoft has made steady, continuous progress in ensuring that its desktop, server and productivity applications are more secure and regularly kept up-to-date.

Now that we’re done with the history lesson, we can discuss the present – including the latest updates to recent Patch Tuesday releases. This month, there were four Patch Tuesday re-releases from July, including MS12-006 (Important), MS12-052 (Critical), MS13-054 (Critical) and MS13-055 (Critical). These patch re-releases were related to informational changes (e.g. changes to the related Microsoft KB articles); both the detection logic and the payloads (updated files and settings) were unchanged. If you have already updated your system with these patches, no further action will be required.

August’s Patch Tuesday was a busy one. In addition to a number of updates to previous patches, Microsoft released eight patches for August, three of which were rated as Critical and five as important.

To begin the five updates listed as Important, we have MS13-062, which relates to a specially crafted Remote Procedure Call (RPC) that may result in an Elevation of Privilege vulnerability. This RPC-related vulnerability requires access to your local network and a specially coded RPC instruction. Microsoft disclosed that there are no publicly available exploits or disclosures at the present time for this vulnerability. The next Important update for Microsoft this month is MS13-063, which relates to four reported vulnerabilities that may result in an Elevation of Privilege attack. This update replaces recent Important kernel updates, including MS13-031 and MS13-048. The remaining patches rated as Important are MS13-064, MS13-065 and MS13-066 and relate to Denial of Server and Information disclosure attacks respectively.

The first Critical patch for this month is MS13-059, which updates Microsoft's Internet Explorer (IE). This update is rated Critical for IE versions 6, 7, 8, 9 and 10 for desktop platforms and rated Important for all server platforms. MS13-059 also replaces the update MS13-055, which was last month's Critical update that addressed memory corruption and Remote Code Execution vulnerabilities in Microsoft's IE browser.

Next we have MS13-060 relating to a Remote Code execution vulnerability in Microsoft's OpenType fonts and replaces the three-year-old update MS10-063. Since this update only affects Windows XP (SP3 and early versions of Server 2003, users running Vista, Windows 7, 8 and later do not need to take any action. We have already seen a number of updates to Microsoft's font technology this year; I expect to see a few more of these updates before the end of the year.

MS13-061, the most interesting of this month’s updates, is rated as Critical and updates MS13-012 released earlier this year. Both updates relate to a vulnerability in how Exchange handles viewing WebReady documents and online attachments in certain email message formats. Microsoft describes the issue as;

"vulnerabilities could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA)."

Here we will dig a little deeper into the three reported vulnerabilities – CVE-2013-2393, CVE-2013-3776, and CVE-2013-3781 – we see this security issue relates to an Oracle Plug-in vulnerability. In fact, the CVE-2013-3776 vulnerability describes this Oracle middle-ware issue as:

"Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middle-ware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent attackers to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3781."

If you are looking for a little fun – and semi-circular references – you should read the description of the related Oracle security issue CVE-2013-3781, which includes the following text:

"Unspecified vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.7, 8.4.0, and 8.4.1 allows context-dependent to affect availability via unknown vectors related to Outside In Filters, a different vulnerability than CVE-2013-3776."

Now I see why everyone is worried about this security issue. Both updates are "unspecified," but are different from each other. Interesting..

This intersection or "collision" of multi-vendor updates is an important marker in the evolution of Microsoft's Patch Tuesday release cycle. To fully address this issue, you need to update your server systems (Exchange Server) with this latest patch, and you need to ensure that your middle-ware (Oracle) is up to date as well. Oracle has followed Microsoft with a massive patch release cycle called Critical Patch Updates and Alerts. Critical Patch Updates are released on the Tuesday closest to the 17th day of January, April, July and October. The next four dates are:

  • 15 October 2013
  • 14 January 2014
  • 15 April 2014
  • 15 July 2014

Starting with the October 2013 Critical Patch Update, security fixes for Java SE will be released under the normal Critical Patch Update schedule. Now we just need Adobe involved and the party will really get started.

Copyright © 2013 IDG Communications, Inc.

Shop Tech Products at Amazon