RSS

May Patch Tuesday coming up – Microsoft still not sure if latest 0-day fix will make the cut

12 May

Microsoft’s Patch Tuesday for May 2013 will be published in the coming week.

It’ll be out on Tuesday 14 May 2013. (Wednesday 14 May for everywhere from about Malaysia eastwards.)

Here’s the elevator pitch:

  • 33 vulnerabilities identified and fixed.
  • Ten separate patches.
  • Eight rated Important. (Apply ASAP.)
  • Two rated Critical. (Apply immediately.)
  • A reboot is required.

Loosely translated, Microsoft’s interpretation of important means that an exploit against the vulnerability is likely to be found, but you’ll probably get some sort of warning, such as a pop-up dialog, if an attacker tries to use it.

On the other hand, critical means not just that a exploit is likely (or already known), but that it can be used silently – what’s known as a drive-by install – without popups or any other kind of warning.

The burning question about the May 2013 Patch Tuesday is this: will it fixCVE-​​2013-​​1347?

This is a remote code execution flaw in Internet Explorer 8 that has already been exploited in the wild to disseminate malware, most notably via a hacked website belonging to the US Department of Labor.

Microsoft has already published a temporary patch for CVE-​​2013-​​1347 in the form of a Fix ittool, and has announced that it would like to have a permanent patch available in time for the coming patch Tuesday.

As Microsoftie Dustin Childs from the Trustworthy Computing team wrote:

Of note, we are working to have the Internet Explorer Security Update address the issue described in Security Advisory 2847140 [relating to CVE-2013-1347], supplementing the currently available Fix it.

In plain English, that means: “We’ve got a patch ready. We’d love to ship it out to everyone on Patch Tuesday, but we haven’t quite decided whether it’s 100% ready yet.”

I suggest you assume that Microsoft will miss the Tuesday deadline for the CVE-​2013-​1347 patch, and will publish it in a so-called out of band, one-off update later in May.

In other words, prepare to patch twice in the month.

If Microsoft does hit its deadline, treat it as a handy bonus.

By Paul Ducklin

Advertisements
 
Leave a comment

Posted by on May 12, 2013 in Uncategorized

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: