While not as massive as the monster patch tuesday release for February 2013, Microsoft’s patch tuesday updates for March 2013 were still noteworthy. The update include four critical and three important bulletins, which address close to two dozen vulnerabilities in a host of Microsoft products. Microsoft details all of the updates in their Security Bulletin for March 2013, which indicates that the vulnerabilities impact Microsoft Windows, Server Tools, Internet Explorer, Microsoft Office, and Silverlight.
In a post on the Microsoft Security Response Center blog, Dustin Childs, Microsoft Group Manager, Response Communications in the Microsoft Trustworthy Computing group, urged system administrators to focus on three of the updates. “For those who need to prioritize deployment, we recommend focusing on MS13-021, MS13-022 and MS13-027 first.”
I also spoke with Wolfgang Kandek, the CTO of cloud security vendor Qualys, to get more detail on the highest priority of this month’s security updates. Kandek said that the most critical update was MS13-021 – Cumulative Security Update for Internet Explorer (2809289). “There are 9 vulnerabilities addressed in that update, which deals with a vulnerability for Internet Explorer 8,” Kandek said. “An exploit for this vulnerability is already out and available…and will be integrated into the tools that attackers can use to build attacks from.”
Kandek also provided further details of why MS13-022 – Vulnerability in Silverlight Could Allow Remote Code Execution (2814124) and MS13-027 – Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2807986) were important updates. “MS13-022 updates Silverlight…this could impact you if you’re using applications based on Silverlight, like the Netflix [streaming video player] for Mac and Windows,” Kandek said. “We haven’t seen a lot of attacks against Silverlight, but it’s something to address.”
The next bulletin admins need to be concerned about is MS13-027. “This updates fixes a vulnerability that allows attacks against the windows kernel through a USB port,” Kandek said. “This would allow someone to launch attack by using a USB drive, and potentially give that person control of that machine [from the kernel level].”
What are your thoughts on the March 2013 patch tuesday release? Drop me an email with your thoughts.