Patch Tuesday: 9 bulletins, critical Windows 7 and IE updates

[nsane.forums]

Microsoft has revealed the summary of the next security patches that will be released on Tuesday, April 9th, which will include a critical update for many versions of Internet Explorer and more.

Every second Tuesday of the month, Microsoft releases a number of security software updates. This upcoming Tuesday will be no exception and today, the company posted its summary of its security patch that will be released on April 9th, also known as Patch Tuesday.

Nine security bulletins will be issued on that day, and two of them will be labeled as "Critical". The summary of the security announcements reveals that one of the critical bulletins concerns Internet Explorer and it affects IE6, 7, and 8 in Windows XP, IE7, 8 and 9 in Windows Vista, IE8, 9 and 10 in Windows 7 and IE10 in Windows 8 and RT.

The other critical update to be released on Tuesday is for Windows XP Service Pack 3, along with Windows Vista Service Pack 2, and Windows 7. This critical update does not affect Windows 8 or RT. As usual, Microsoft has not gone into detail on the specifics behind these updates so as to not alert hackers beforehand but will release that information after the patches are launched on Tuesday.

Microsoft will almost certainly issue non-security related software updates for other products on Tuesday, such as software fixes and improvements for its Surface RT and Surface Pro PCs.

View: Original Article

[anuseems]

Microsoft to issue 9 security updates on Tuesday, critical for all IE versions, reboot required

Microsoft has issued its routine advance notification for the coming week's Patch Tuesday.

As usual, the "pre-announcement" is a bit like a bikini: interesting more for what it conceals than what it reveals.

Nevertheless, there's enough to make sure you're ready for Tuesday 09 April 2013 (or Wednesday, of course, if you live at the longitude of about Thailand or further east).

This month's nine updates don't sound too onerous, with just two at critical level and the remaining seven important, but the critical ones affect Internet Explorer (IE) and Windows itself, and the IE fix will require a reboot.

Just so you know.

Importantly, the IE update applies to all supported versions of the browser, from IE 6 to IE 10, on all supported version of Windows, from XP and Server 2003 to Eight and Server 2012, in both 32-bit and 64-bit flavours.

Server Core installs, happily, aren't affected by either of the two critical flaws.

→ Internet Explorer isn't part of a Core install, which doesn't support GUI applications for safety's sake. This reduces your attack surface area tremendously and you should go for a Server Core installation whenever you can.

As you may have seen, there has been plenty of speculation that the critical updates will include patches for the IE vulnerabilities exploited in the recent PWN2OWN competition.

Mozilla and Google triumphantly rushed out patches to the holes in Firefox and Chrome that were found at PWN2OWN, closing down the vulnerabilities within 24 hours.

As we remarked at the time, this certainly threw down the patching gauntlet to Microsoft, though we also pointed out that:

Redmond, to be fair, has many more products with much more complex inter-relationships to juggle than Mozilla, and even Google.

With the PWN2OWN rules this year requiring responsible disclosure, meaning that winners had to reveal their attacks to the affected vendors and allow time for a considered and tested fix, it wasn't actually necessary for Microsoft to rush.

If Redmond's security team does fix IE's PWN2OWN bugs on its offical April patch day, it will in my opinion have done a timely job, but until Tuesday, Microsoft is keeping the details up its sleeve.

Note that five of the non-critical patches fix what's known as elevation of privilege, a trick that allows untrusted software to do things beyond its official authority.

Usually, that means a program running as a regular user can complete operations that would normally require administrator privileges, such as modifying system settings or altering critical files,

As you can imagine, attackers often combine RCE, or remote code execution, with EoP, or elevation of privilege.

They use the RCE to escape from the strictures of your browser, or some other interactive application, and then the EoP to escape from the limitations of your regular login account.

Either sort of exploit is dangerous on its own, but together they are much more harmful.

So plan to patch all the holes, not just the critical ones, and watch out on Naked Security and the SophosLabs Vulnerabilities page for our analysis and assessment of the updates once we're clear to publish.

(We have to wait until Microsoft has made the updates live before we give away any details.)

Bonne chance!

@ http://nakedsecurity.sophos.com/2013/04/07/microsoft-to-issue-9-security-updates-on-tuesday-critical-for-all-ie/

[dcs18]

A total of 19 Windows Updates have just been released (12 for Windows 8 Professional x64 and 7 for Office 2013 x64.)

Edit:-

2 restarts were required, this time - for me.

[Phyton]