Microsoft released 13 security bulletins, four rated critical, with the suggested deployment priority starting with MS13-068 for Outlook, MS13-069 for every supported version of Internet Explorer, and MS13-067 for SharePoint. MS13-070 is also rated critical and is one of eight patches to close remote code execution vulnerabilities.
MS13-068 should patch a "memory corruption vulnerability accessible by simply previewing a message in the Outlook Preview Pane." Dustin Childs, group manager, Microsoft Trustworthy Computing, released this statement:
While the Outlook bulletin is certainly one to pay attention to, building a reliable exploit for this issue won't be easy. Still, we've listed this update as one of our highest priorities for this month and encourage customers to deploy the bulletins to help ensure protection.
Conversely, Wolfgang Kandek, CTO of Qualys, told Computerworld that he predicts the Outlook flaw will be "extremely dangerous." He said, "Past patterns in critical Office vulnerabilities have always been through the preview pane. It is pretty much the only way to get into Outlook without user interaction, which is Microsoft's criteria for a critical rating."
Seven of the security updates this month address vulnerabilities in Office.
Based on the fact that Microsoft has released Internet Explorer security updates for 11 months in a row, Andrew Storms, director of DevOps at CloudPassage, said, "I expect we'll see IE updates every month from now on." That puts Microsoft's browser on a similar and more frequent patch schedule like Chrome and Firefox.
Additionally, Microsoft said it was "revising Security Advisory 2755801" to provide the latest update for Adobe Flash Player in IE "on all supported editions of Windows 8, Windows Server 2012, and Windows RT. The update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash libraries contained within Internet Explorer 10 and Internet Explorer 11." The company noted that the update for Windows RT is only available via Windows Update.
Last month, Microsoft had to pull three security updates after receiving reports that they caused functionality issues with Windows Server Active Directory Federation Services (ADFS). Hopefully there will be no issues this month other than plan on rebooting.
Like this? Here's more posts:
- 4 billion call records added daily to AT&T database for DEA phone surveillance
- Nuke data: BleachBit for Windows has 1300+ cleaners to help protect your privacy
- School starts mass social media surveillance of students for their ‘safety’
- Government-funded P2P surveillance fallout: Tell-all book, lawsuit, FTC complaint
- Researchers develop attack framework for cracking Windows 8 picture passwords
- Careful Windows Phone 8 users, connect to rogue Wi-Fi & hackers can steal passwords
- UK govt leak police destroyed Guardian hard drives to stop secret surveillance stories
- Is Microsoft an enemy of the internet by helping the NSA undermine encryption?
- Not cyber myths: Hacking oil rigs, water plants, industrial infrastructure
- Cautionary tales: Teen beauty queen and baby spied on via hacked cameras
- Microsoft Research: Secret tags in 3D-printed objects, hooked to the Internet of Things
- Black Hat: It's not 'tricky' for hackers to turn your phone into a SpyPhone
- Implanted RFID chips to implanted invisible headphones: Modded bodies and privacy
Follow me on Twitter @PrivacyFanatic