Ladies and gentlemen, start your engines, but be ready to reboot as Microsoft released 10 security bulletins to patch 33 vulnerabilities that are listed as critical or important. That may make your eye twitch, such as if you were trapped in a boot loop last month due to a bad Microsoft patch, so get ready to find some "extra" time to test the patches on corporate machines before deploying.
"In light of the reboot loop problems resulting from the Microsoft patches issued in April, businesses need to have the ability to test patches, or have a trusted third-party test them, before deploying on corporate networks and PCs, in order to minimize potential downtime caused by a faulty patch," advised Cristian Florian, product manager at GFI Software. The patches need to be deployed as soon as possible, as "They will remove some vulnerabilities that could be exploited to gain backdoor access to an organization's network."
One of the critical security updates, MS13-037, patches 11 privately reported vulnerabilities in Internet Explorer, including the exploit of IE 10 on Windows 8 at Pwn2Own 2013. The security firm Vupen used two zero-day vulnerabilities to compromise the Surface Pro tablet and bypassed the sandbox to achieve medium integrity code execution. Vupen, which has been criticized for selling zero-day exploits to governments, tweeted:
Although Microsoft previously released a "Fix it" after a zero-vulnerability exploited IE8 for watering hole attacks aimed at Department of Energy (DOE) employees who worked with nukes, the Redmond giant worked night and day to get a patch ready. Dustin Childs, group manager, Response Communications, Microsoft Trustworthy Computing said, "Our engineers worked around the clock to prepare and test MS13-038, which will help keep customers safe by permanently addressing the Internet Explorer 8 issue. We recommend prioritizing this bulletin, along with MS13-037 and MS13-039, and updating your systems as soon as possible."
Microsoft also has changed the way in which it communicates the technical details within security advisories. Enterprise customers "will be able to clearly identify key security updates" such as whether the patch will be light and require only wine, or intense and require at least a double-shot of whiskey. Just joking, relax. Actually, Microsoft explained:
This change allows for the following:
- We can more accurately classify security bulletin updates that do not have an "MSRC Severity" rating assigned. For example, MS13-038: Security update for Internet Explorer 9: May 14, 2013 does not have a severity rating assigned. Going forward, the "MSRC Severity" rating will be classified as "Unassigned" instead of as "Critical update," although the bulletin severity is "Critical update."
- We can correctly classify security advisory updates that do not relate to a vulnerability in Microsoft code but do have security implications.
For these kinds of security issues, customers can expect to see the "MSRC Severity" rating set to "Unassigned."
Other Microsoft tidbits: Blue is Windows 8.1 & chat with Gmail friends from Outlook
At the JP Morgan Technology, Media and Telecom Conference, Microsoft's Tami Reller announced that Windows Blue is officially named Windows 8.1 and "will be a free update to Windows 8 for consumers through the Windows Store." Starting on June 26, Windows 8 and RT device users will be able to download the public 8.1 update preview.
Microsoft is also rolling out cool changes to Outlook.com that will allow users "to chat with friends stuck on Gmail." The Outlook blog reported, "When you open the Messaging pane in Outlook.com or SkyDrive, you'll see a message that helps you set up chat with your Google contacts. Just click it to get started; setup will only take a minute."
Like this? Here's more posts:
- Journalist threatened, warned not to write about face-recognition at Statue of Liberty
- Microsoft confirms zero-day vulnerability exploiting IE8
- Skype accounts easily hijacked via Skype Support, warns hacker
- Microsoft: What are people really asking for when they ask for a Start button?
- U.S. government is 'biggest buyer' of zero-day vulnerabilities, report claims
- Officials to investigate DHS ammunition purchases
- Verizon report: China behind 96% of all cyber-espionage data breaches
- Former FBI agent: All phone calls recorded, no digital communication secure
- Microsoft: Facebook Home is a copycat, Windows Phone is the 'real thing'
- Comedian Rob Schneider stars as Google Docs in Microsoft Office 365 videos
- Google's patent for email snooping? Microsoft offers your boss email spying powers now
- Hacktivists take on 'Olympus Has Fallen' scare tactics style
Follow me on Twitter @PrivacyFanatic