January 2013 Patch Tuesday Overview
To ring in the New Year, today Microsoft has released seven new security bulletins addressing 12 vulnerabilities.
However, the most notable headline from this Patch Tuesday is a security bulletin that was not released. On December 29, 2012, Microsoft released a security advisory (2794220) informing administrators of a vulnerability in Internet Explorer was currently being exploited. Microsoft provided a non-security update to prevent exploitation to that vulnerability. Recently, security researchers have found a way to bypass this temporary fix to carry out an attack on the vulnerability. As we continue to wait for a security bulletin for Internet Explorer, it is critical that administrators keep their antivirus definitions up to date and upgrade their Internet Explorer browsers to version 9 if possible. Only Internet Explorer browser versions 6, 7 and 8 are affected by this vulnerability.
Of the seven Microsoft security bulletins released for the January 2013 edition of Patch Tuesday, administrators should look at patching MS13-002 first. Microsoft has identified a vulnerability in Microsoft XML Core Services. If an unpatched systems browses to a malicious website, an attacker can gain remote code execution.
The other browsing threat this month that needs attention from administrators is MS13-004. In this security bulletin, Microsoft is addressing a vulnerability in their .NET software application. If an unpatched machine browses to a malicious website, an attack can gain elevation of privilege on that machine.
The other critical update this month (MS13-001) addresses a vulnerability in the Windows Print Spooler. If a machine is set up as a print server, an attacker can send a malicious print job to the machine and gain remote code execution. Security best practices call for printer servers to reside behind a firewall that only allows internal users to print to the print server. A most likely attack scenario is for an attacker to already be on the internal network.
And as is becoming a recurring theme, this Patch Tuesday is not just a Microsoft-focused security day. Several non-Microsoft software vendors have also joined in with releases of their own.
Adobe has released security bulletin APSB13-02 affecting all supported version of Adobe Acrobat and Reader. This security bulletin is part of their quarterly update for Adobe Acrobat and Reader and was expected.
Adobe also released updates for their Air and Flash Player products. These updates are security updates were not previously announced (APSB13-01). With any Adobe Flash Player update, Microsoft and Google update their latest browsers to include the new release of Adobe Flash Player.
Mozilla also released new versions of their products. Mozilla Firefox 18 are new versions of their product that only contain new features. Previous versions of the Mozilla products also received updates that contain security fixes.
- Mozilla Firefox 17.0.2
- Mozilla Firefox ESR 10.0.12
- Mozilla Thunderbird 17.0.2
- Mozilla Thunderbird ESR 10.0.12
- Mozilla SeaMonkey 2.15
Given that the January 2013 Patch Tuesday does not include a security update for the zero-day Microsoft Internet Explorer vulnerability, there is a good chance we will see an out-of-band update from Microsoft before the February 2013 Patch Tuesday. Microsoft will continue to monitor the threat landscape and decide if this zero-day vulnerability warrants and out-of-band release.
I will be going over the January Patch Tuesday patches in detail along with reviewing other non-Microsoft releases since the December Patch Tuesday in our monthly Patch Tuesday webcast. This webcast is scheduled for next Wednesday, January 9th at 11:00 a.m. CT. You can register for this webcast here.
- Jason Miller