Microsoft Fixes Dozen Flaws, but Not IE Zero-Day Threat, in Update
Microsoft's first patch Tuesday update of 2013 is now out and it's likely to be followed up by an out-of-band update for IE soon.
While 2012 was mostly a year of improvement for Microsoft's Patch Tuesday efforts, 2013 is already shaping up to be a challenging one for the software giant.
Microsoft's January Patch Tuesday delivers fixes for 12 security vulnerabilities, though it is perhaps most noteworthy for what it is missing. Security firm FireEye on Dec. 28 reported on its discovery of a new Internet Explorer (IE) zero-day flaw that is being actively exploited. Microsoft responded with a Fix it update, though a full patch is not yet publicly available.
"We’ve reviewed the information and are working on an update, which we will make available to all customers on IE 6-8 as soon as it is ready for distribution," Dustin Childs, group manager, Microsoft Trustworthy Computing said in a statement sent to eSecurity Planet. "In the meantime, the current Fix it, mitigations and workarounds available in Security Advisory 2794220 fully protect against all known active attacks." IE
Threat Impacts Older IE Versions
Microsoft also continues to encourage customers to upgrade their browsers to IE versions 9-10, which are not affected by this issue, Childs added.
Ross Barrett, senior manager of Security Engineering at security vendor Rapid7, told eSecurity Planet that many people were expecting a patch for the Internet Explorer zero-day threat. While this was not included in today's patch release, the only supported version of IE affected by the current 0-day is IE 8, so impact is largely limited to customers on Windows XP, he said.
"Users of other Windows platforms should have gone to IE 9 or 10 by now," Barrett said.
Andrew Storms, director of security operations at nCircle, noted that attack code for the basic exploit has already made its way into popular toolkits.
"We’re going to continue to see an increase in attacks until Microsoft releases a patch for this bad boy, and it wouldn’t surprise me to see an out-of-band patch in the next two weeks for this," Storms said. "This doesn’t bode well for 2013, as Microsoft only released one out-of-band patch in all of 2012 and only one in 2011."
One of the newly patched vulnerabilities in the January Patch Tuesday update is MS13-001, which fixes a critical vulnerability in the Windows Print spooler.
"The vulnerability could allow remote code execution if a print server received a specially crafted print job," Microsoft warned in its advisory. "The security update addresses the vulnerability by correcting how the Windows Print Spooler handles specially crafted print jobs."
Microsoft's second critical update for 2013 is for a pair of vulnerabilities in Microsoft XML Core Services. Microsoft warns that the vulnerabilities could enable an attacker to potentially execute remote code if the user visits a maliciously crafted site with IE.
"This impacts a dog’s breakfast of Microsoft operating systems and applications including Windows 8, RT and Server 2012," Rapid7's Barrett said. "One thing to watch out for in this type of vulnerability is applying all the patches that apply to a system."
Barrett noted that, for example, the flaw could affect Groove, Office, SharePoint, the OS, and other components. "Administrators will have to patch for each affected component," he said. "This will require multiple patches for many systems and will almost certainly require a restart."
Among the updates Microsoft rates as Important is a fix for the Windows implementation of SSL, which is used pervasively across the Internet to protect and encrypt Web traffic.
"A security feature bypass vulnerability exists in the way that the Microsoft Windows SSL/TLS (Secure Socket Layer and Transport Layer Security) handle the SSL version 3 (SSLv3) and TLS protocols," Microsoft warns in its advisory. "The vulnerability could allow security feature bypass if an attacker injects specially crafted content into an SSL/TLS session."