Microsoft Security Bulletins For May 2013 overview
It is the second Tuesday of the month and we all know what that means: Microsoft Patch Day. Microsoft has released a total of ten security bulletins this month that address security related issues in products such as Microsoft Windows, Internet Explorer, Microsoft Office or Windows Essentials. The ten bulletins address a total of 33 different vulnerabilities.
Two bulletins have received the highest severity rating of critical while the remaining eight received important ratings. What this means is that at least one product received the rating while other affected versions of the product may have received the same or a lower rating.
Security update MS13-038 resolves a 0-day security vulnerability that affects Microsoft's Internet Explorer 8 on all supported operating systems. Microsoft has released a fix-it patch recently to address the issue.
The second critical bulletin of the month is a cumulative update for Microsoft's web browser that resolves 11 different security related vulnerabilities.
Operating system distribution
It is often the case that desktop and also server operating system versions are affected in different ways by the vulnerabilities. Here we look at the distribution of severity ratings across all desktop and server operating systems.
As you can see, all desktop versions of Windows share the same severity rating with the exception of Windows 8 and Windows RT. As far as servers go, the picture is a little bit different. Here it is Windows Server 2012 that is affected more severely than previous versions of the server operating system.
- Windows XP: 2 critical, 2 important
- Windows Vista: 2 critical, 2 important
- Windows 7: 2 critical, 2 important
- Windows 8: 1 critical, 3 important
- Windows RT: 1 critical, 2 important, 1 moderate
- Windows Server 2003: 1 important, 2 moderate
- Windows Server 2008: 2 important, 2 moderate
- Windows server 2008 R2: 2 important, 2 moderate
- Windows Server 2012: 3 important, 1 moderate
Microsoft recommends to deploy the bulletins in the following order:
- First MS13-037, MS13-038 and MS13-039. The first two bulletins are the only ones with a critical severity rating. The third bulletin addresses an issue that could allow a denial of service attack against Windows systems.
- Then the four bulletins MS13-041, MS13-042, MS13-043 and MS13-046. The first three address vulnerabilities in Office programs, the fourth one in the Kernel Mode Driver.
- Last but not least bulletins MS13-040, MS13-044 and MS13-045 which address security issues in the .Net Framework, Visio and Windows Essentials.
- MS13-037 - Cumulative Security Update for Internet Explorer (2829530)
- MS13-038 - Security Update for Internet Explorer (2847204)
- MS13-039 - Vulnerability in HTTP.sys Could Allow Denial of Service (2829254)
- MS13-040 - Vulnerabilities in .NET Framework Could Allow Spoofing (2836440)
- MS13-041 - Vulnerability in Lync Could Allow Remote Code Execution (2834695)
- MS13-042- Vulnerabilities in Microsoft Publisher Could Allow Remote Code Execution (2830397)
- MS13-043 - Vulnerability in Microsoft Word Could Allow Remote Code Execution (2830399)
- MS13-044 - Vulnerability in Microsoft Visio Could Allow Information Disclosure (2834692)
- MS13-045 - Vulnerability in Windows Essentials Could Allow Information Disclosure (2813707)
- MS13-046 - Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation Of Privilege (2840221)
Non-security related updates
Non-security related updates have been released since the last patch Tuesday as well. The following list provides you with an overview of the updates that Microsoft has released in that time.
- Update for Windows 8, Windows RT, Windows Server 2012, Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB2798162)
- Update for Microsoft .NET Framework 4.5 on Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista (KB2805221)
- Update for Microsoft .NET Framework 4.5 on Windows 8, Windows RT, and Windows Server 2012 (KB2805222)
- Update for Microsoft .NET Framework 4.5 on Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista (KB2805226)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2805227)
- Update for Windows 8 and Windows Server 2012 (KB2805966)
- Update for Windows 7 (KB2813956)
- Update for Windows 8, Windows Embedded Standard 7, Windows 7, and Windows Server 2008 R2 (KB2818604)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2820330)
- Update for Windows 7 and Windows Server 2008 R2 (KB2820331)
- Dynamic Update for Windows 8 and Windows Server 2012 (KB2820332)
- Dynamic Update for Windows 8 and Windows Server 2012 (KB2820333)
- Update for Windows 7 and Windows Server 2008 R2 (KB2835174)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2836988)
- Windows Malicious Software Removal Tool - May 2013 (KB890830)/Windows Malicious Software Removal - May 2013 (KB890830) - Internet Explorer Version
- Update for Root Certificates for Windows 8, Windows 7, Windows Vista, and Windows XP (KB931125)
- Update for Windows 8 for x64-based Systems (KB2818604)
How to download and install the May 2013 security updates
The easiest way to obtain all security updates is to use Windows Update. Windows XP to Windows 7 users can use the search menu to load Windows Update on their system while Windows 8 users need to search for it on the start screen instead.
You may need to click on the check for updates button on the page as the updates may not have been picked up automatically by the operating system.
If you want more control over the process head over to Microsoft's Download Center. I recommend you enter the name of the bulletin into the search on the page as Microsoft seems to have modified the download page so that you cannot sort security updates by date anymore.Advertisement