Security updates from Microsoft, Oracle and PostGreSQL are likely to keep security administrators busy in April.
Microsoft is to release nine security bulletins next week as part of its monthly Patch Tuesday security updates, aimed mainly at critical vulnerabilities in Internet Explorer and Windows 7.
According to the Security Bulletin Advance Notification for April 2013, the first critical update is for all versions of Internet Explorer (IE), including the newest IE 10, on Windows 8 and RT.
This vulnerability should be at the top of patching priority lists as it allows remote code execution through users visiting a compromised website, which is of the most popular attack methods, said Wolfgang Kandek, chief technology officer at security firm Qualys.
Andrew Storms, director of security operations at nCircle, said it is almost certain that this month's IE patch fixes the Pwn2Own bug from CanSec West.
“Historically, Microsoft has always been behind patching Pwn2Own bugs. Even with its new, more aggressive IE patch cadence, it is still behind browsers that don’t stick to a monthly patch schedule," he said.
“This probably isn’t a huge problem for enterprise security teams because the Pwn2Own bug hasn’t been publicly released,” Storms added.
The second Microsoft security update is aimed at a “critical” vulnerability that affects the Windows Operating System, except the newest versions – Windows 8, Server 2012 and Windows RT for tablets.
The remaining Microsoft bulletins are all rated “important” and affect Windows, the SharePoint server and Microsoft’s Windows Defender malware scanner on Windows 8 and Windows RT.
“The vulnerabilities addressed in these bulletins typically allow the attacker an escalation of privilege from a normal user to an admin-level user once they are already on the machine or can trick the user to open a specifically crafted file,” said Kandek.
Ziv Mador, director of security research at Trustwave, said it would be interesting to find out how the vulnerability in Windows Defender was discovered and disclosed.
“Windows Defender isn’t something that has seen a lot of attention from researchers, but would definitely be a juicy target of attackers,” he said.
In addition to the Microsoft updates, security administrators should note that the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws.
One of them – CVE-2013-1899 – allows the attacker to delete database files without authentication, leading to data loss and denial of service.
There is also an out-of-cycle update for Java from Oracle this month.
Normally, Java is on a four-month release cycle in February, June and October. However, due to the number and severity of recent vulnerabilities discovered, there will be an additional release on 16 April.