Before we start the July Patch Tuesday review, we should note that Microsoft released a Security Advisory between last month's update and the July patch cycle. This update relates to Microsoft Gadgets, the usually small utilities that were "locked" to the task bar in Windows Vista and "set loose" on the Windows desktop. The "gadgets" include clocks, calendars and processor performance monitoring tools. The Security Advisory (2719662) only affects Windows 7 (both 32-bit and 64-bit systems). Microsoft has the following to say on their TechNet website:
Microsoft is aware that some legitimate Gadgets running in Windows Sidebar could contain vulnerabilities. An attacker who successfully exploited a Microsoft Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could create a malicious Gadget and then trick a user into installing the malicious Gadget. Once installed, the malicious Gadget could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system.
Microsoft offers a few workarounds ─ not really fixes ─ for this desktop Gadget vulnerability. If you are an enterprise customer and use Group Policy, you can disable Gadgets altogether, or you can download the Microsoft Knowledge Base automated fix.
Ready for July Patch Tuesday?
This month, we have seven updates, with six rated as Critical and one rated as Important. We are on track for a bumper year of Critical updates ─ with 22, so far ─ compared to 34 for all of 2012.
The first patch (MS13-052) affects both the Microsoft .NET and Silverlight middleware framework, all desktop and server platforms (64 and 32-BIT), and (mostly due to Silverlight) also affects the Microsoft Surface and RT platforms. MS13-052 (Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution) is due to array handling issues in Microsoft TrueType fonts. Here’s the silver lining: if you are running Windows Server Core, you won’t be running .NET or Silverlight, so this update does not apply to you.
Microsoft update MS13-053 (Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution) relates to Windows kernel drivers (the very base component of the Windows operating system), as well as TrueType fonts, so it’s pretty serious. This is an old favorite of mine, and this patch replaces two previous attempts to resolve this problem. I fully expect to see an update to this issue before the end of the calendar year.
Two related updates (MS13-054 and MS13-056) relate to Microsoft GDI and DirectShow, two graphics-related sets of Application Programming Interfaces (APIs) from Microsoft. Both of these patches relate to Remote Code Execution vulnerabilities, and are pretty important updates that need to be deployed. From past experience, however, I would perform some pretty heavy testing for these two Microsoft patches if you are using graphically intensive applications (AutoCAD) and quick updating applications (Bloomberg/Reuters). MS13-057 also is graphics-related, and deals with a vulnerability in the way Microsoft opens Windows media (video/audio) files. MS13-057 is rated as Critical, but I can't see this patch causing much trouble for enterprise customers.
Microsoft also released an update to Internet Explorer (all versions, all platforms) with MS13-055, which addresses another Remote Code Execution vulnerability. This patch attempts to resolve 16 Memory Corruption vulnerabilities and one Cross-Site-Scripting (XSS) vulnerability. Cross-Site-Scripting attacks are very tough to debug, and could cause major security issues for a website. Microsoft describes XSS vulnerabilities as:
Common (XSS) vulnerabilities that make your Web applications susceptible to cross-site scripting attacks include failing to properly validate input, failing to encode output, and trusting the data retrieved from a shared database.
Microsoft has offered some help with this patch, but if you are worried about XSS attacks in Internet Explorer, a good place to start is the Microsoft Anti-XSS kit.
And, now for the little sparkle in my day. MS13-058 addresses (again) an Elevation of Privilege vulnerability in how Windows Defender handles path names. Didn't we see this issue before? Yes, back in April (you can read about it here). Since this is a second attempt at fixing this Windows defender security vulnerability, my guess is that we will be seeing a patch for this security issue again, as well.