Posted by: Ed Tittel
I know I’m busy, busy, busy when Patch Tuesday takes me by surprise, and that’s what happened to me yesterday. Between phone calls galore, and catch-up from a long family weekend, I wasn’t necessarily ready to go haring after Windows Updates. But, ready or not, there it was and I’ve been digging in ever since. My Windows 8 machines show 14 updates for Windows itself, and another 10 for Microsoft Office 2013; my Windows 7 machines show 7 for Windows and components (including Internet Explorer 10 , which has now been pushed into the Windows Update channel) and another 3 for Microsoft Office 2010.
A quick gander at the latest Microsoft Security Bulletin for March 2013 reveals bulletins numbered MS13-021 through -027, for a total of 7 bulletins overall. Four of them are labeled critical (MS13-021 through -024), with the first three qualified as “Remote Code Execution” and MS13-024 as “Elevation of Privilege.” The coverage is all over the place: -021 is a cumulative security update for IE, -022 addresses Silverlight vulnerabilities, -023 tackles the Visio Viewer 2010, and -024 addresses four SharePoint vulnerabilities.
The remaining three bulletins are rated Important, where -025 and -026 are qualified as “Information Disclosure,” and -027 as “Elevation of Privilege.” The -025 update is for OneNote, -026 is for Outlook for Mac, and -027 touches on Kernel-mode drivers. MS13-021 and -027 require a restart, -023, -024, and -025 may require one, and the remaining items (-022, -026) do note require a restart. Severity ratings nothwithstanding, my impression is that admins will want to consider accelerating deployment of -021 and -027 first and foremost, as these are most likely to address potential vulnerabilities on the vast majority of end-user machines, unless Silverlight is also in broad use (in which case it should be prioritized for testing and possible deployment as well).
BTW, I really like the Acknowledgements section that has been added to the MS Security Bulletins, which gives those who report vulnerabilities credit for their work, and also ties updates to specific entries in the Common Vulnerabilities and Exposures (CVE) database. It’s also interesting to see many of the same names (and test labs) showing up in those credits as well. Here’s a snippet, by way of illustration: