The first Microsoft monthly security update for 2013 does not offer an easy start to the year for IT administrators with seven bulletins covering a wide variety of software.
Two bulletins are classified “critical”, while the rest are rated as “important” according to Microsoft’s advance notification.
For IT administrators, the focus should be on the two critical bulletins, according to Wolfgang Kandek, chief technology officer (CTO) at security firm Qualys.
The first “critical” bulletin affects only Windows 7 and Windows 2008 R2, but it still results in remote code execution so it should not be taken as any less seriously, said Ziv Mador, director of security research at Trustwave’s SpiderLabs.
The second “critical” bulletin affects all versions of Windows, plus some server software. “It is likely that it is a vulnerability in one of the base libraries of Windows that is widely used, such as Windows XML Core Services, which had its last fix in July of 2012 under MS12-043,” said Kandek.
This month’s security update will not include a fix for the zero-day vulnerability in Internet Explorer versions 6, 7 and 8.
Read more about Microsoft patches
- November 2012 Patch Tuesday to include Windows 8 patch
- Patch Tuesday: Microsoft restricts RSA tokens with 1024-bit encryption
- Busy security patch month for Microsoft administrators
- Microsoft patches MSXML, IE, hardens Windows Update
- Patch Tuesday: Five critical bulletins, Exchange Server fix expected
On 29 December, Microsoft issued a security advisory that warned that the exploitation of the vulnerability allowed remote code execution.
The vulnerability, the advisory said, exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated.
Microsoft has issued a FixIt as a temporary protective measure while a permanent security update is developed.
The company said that the quick fix is not intended to be a replacement for any security update, but it should come as no surprise that Microsoft was unable to patch the zero-day vulnerability at such short notice, said Andrew Storms, director of security operations for security firm nCircle
While the vulnerability affects three versions of IE, Microsoft is only aware of working exploits for IE8.
Kandek recommends that organisations evaluate the FixIt until Microsoft provides a permanent patch.
The company says it will complete its investigation before deciding whether it will release a patch through its monthly security update process or an out-of-cycle security update.
Separate to the advance notification, Microsoft has published an advisory with a certificate update that invalidates a fraudulent certificate for "*.google.com" that was issued by the Turkish CA Turktrust.
Kandek said the certificate update will be transparent for organisations that have the automated certificate updater installed.
“All others, which includes Windows XP users for example, should push out KB2798897 manually to avoid the possibility of having their web traffic intercepted by someone using the fraudulent certificate,” he said.
Kandek said January could be a busy month for IT administrators with Oracle due to publish its quarterly Critical Patch Update on 15 January.