Microsoft released eight security bulletins this Patch Tuesday. At first glance, that may seem like a high number but the good news is, at this time, none of the vulnerabilities have been under active attack. While three bulletins are considered critical, with the balance important, two should be your top priority, according to Paul Henry, security and forensics analyst, Lumension.
Click through for a rundown on August’s Patch Tuesday updates, as identified by Paul Henry, security and forensics analyst at Lumension.
MS13-059 is an Internet Explorer issue with 11 vulnerabilities. This bulletin is Microsoft cleaning up the last of the CanSecWest bugs.
MS13-060, your second priority, is a vulnerability in the Unicode scripts processor that could allow a remote code execution. This vulnerability is for XP and Windows 2003 customers only and has just one privately reported vulnerability.
The last of the critical patches this month, MS13-061 is a vulnerability in Microsoft Exchange that could allow a remote code execution. It fixes an issue with Oracle Outside In update and has three reported vulnerabilities.
The remaining bulletins are ranked important. MS13-062 is a previously unknown vulnerability in remote procedure call that could allow elevation of privilege across all versions of Windows.
MS13-063 is another CanSecWest bug fix. This could cause a possible elevation of privilege in Windows kernel across all 32 bit OS.
MS13-064 is a vulnerability in the Windows NAT driver that could allow a denial of service.
MS13-065 is a vulnerability affecting ICMP v6 and could allow a denial of service attack.
MS13-066 is a vulnerability in active directory federation services that could allow active disclosure of a service name.
Year-to-date, Microsoft has released 65 security bulletins. For anyone keeping track, that’s seven more than what we had covered off on last year at this time. At the start of the year, we anticipated higher numbers in 2013, given Microsoft’s commitment to cleaning up the low hanging fruit out there. Last year at this time, there were 35 important patches issued; we now see 40. Our criticals in 2013 so far number 25, with 35 in total for 2012. Good news there!
Microsoft is also releasing a framework for improved cryptography. It allows customers more fidelity in managing cryptographic algorithms and digital certificates. Separately, they are also offering a new package for disabling support for MD5 hashes. You’ll need to go get them in the download center for now – they won’t be pushed out as a new standard until next year.
Outside of Microsoft, a flaw in Google’s Chrome browser was reported last week. It allows passwords saved in the browser to be published in the clear – free for the taking. If you use Chrome, you should first go to chrome://settings/passwords and delete them. Then, you should remember never to save passwords in a browser.