The April 2013 MS Tuesday advisories are out and it forecasts an interesting patching session for Microsoft administrators. There are 9 advisories, for 14 CVEs, affecting 16 distinct platforms in 5 categories of Microsoft products, including the not-often-seen patching of “Microsoft Office Web Apps” and “Microsoft Security Software”.
Once again there is an IE patch (MS13-028) which is rated critical, but this one differs from last month’s incarnation by applying to all supported versions of IE (6-10) on the relevant platforms, including IE 10 on Windows 7 & 8. Due to the widespread use of IE and subsequently high degree of exposure for any group or individual using it, combined with the severity, this is where I would prioritize patching efforts.
Since there are only two critical advisories this month, it follows that the other critical issue (MS13-029)which affects all versions of Windows from XP/2003 to 7/2008R2 is the next highest patching priority. This issue is in the RDP ActiveX control and affects versions 6.1 and 7, but not 8. However, RDP 8 is not yet the default on the affected platforms. This issue could be triggered through an RDP link in a browser or other content. A workaround would be to set the “kill-bit” for these ActiveX controls, but the update actually fixes the issue, rather than disabling the RDP control.
Of the remaining seven advisories, it’s hard to call what the top priority is, and the real risk will depend on your environment. I would lean towards saying that MS13-035, an elevation of privilege issue which affects Microsoft InfoPath, SharePoint and “Office Web Apps 2010” would be the next biggest cause for concern. This is a cleanup of functionality in the “safe HTML” component in these products.
MS13-031, MS13-033 and MS13-036 all apply to Windows and are all elevation of privilege vulnerabilities. MS13-031 is a double fetch issue affecting the Windows kernel, MS13-033 affects the client/server runtime, and MS13-036 (4 CVEs) affects kernel mode drivers. It’s good to patch all these issues as part of defense in depth measures, but remember that attackers use these exploits to elevate privilege after the they have gained access through another exploit.
MS13-030 is an information disclosure issue that only affects SharePoint 2013. The issue is that if two logged in users are uploading content, one user could view the other’s uploaded content.
I would put MS13-032 at a slightly higher than anticipated priority. It is a denial of service affecting Active Directory where a malicious authenticated user could use a malformed LDAP request to consume CPU cycles on a domain controller. If exploited, this could severely disrupt operations for an organization.
And that leaves MS13-034, an elevation of privilege issue in Windows Defender affecting Windows 8 and RT. The vulnerability is an unquoted pathname issue, where an attacker could take advantage of how Windows handles spaces in file names to cause a malicious program to load with system privileges.
Overall, this month is going to be more challenging than the relative quiet of last month. All of these issues were responsibly disclosed and none are known to be actively exploited in the wild.