Microsoft Security Bulletins For July 2013 overview
On today's patch day, Microsoft has released seven security bulletins fixing a total of 32 different vulnerabilities in Microsoft Windows, the Internet Explorer browser, the Microsoft .Net Framework, Silverlight, GDI+ and Windows Defender.
I have compiled all the information that you need to deploy the updates on your own home PC or in a computer network. Included here are the deployment guide as recommended by Microsoft, links to all security and non-security patches that Microsoft has released in the last 30 days, and information on how to download the patches to a local system.
The company has furthermore released a new security policy regarding Store Apps for Windows Store, Windows Phone Store, Office Store and Azure Marketplace.
When vulnerabilities are discovered in apps available in one of the stores, developers have a maximum of 180 days to update the app with a fix. This is however only the case if the security vulnerability is not actively exploited in the wild and has a security rating of critical or important.
Microsoft expects developers to deliver patches much faster than the 180 days. The company notes that no application has come close to the deadline to this date.
Operating System Distribution
Each month, I'm looking at how each operating system is affected by the updates that were released this month.
A total of seven bulletins have been released by Microsoft this month. This month, all client versions of the Windows operating system were affected in the same way with the exception of Windows RT, if you want to count it here, which was affected by only five of the six critically rated bulletins.
On the server side of things, all server operating systems were also affected equally, with each being affected by 5 critically and 1 moderately rated bulletin.
- Windows XP: 6 critical
- Windows Vista: 6 critical
- Windows 7:Â 6 critical
- Windows 8:Â 6 critical
- Windows RT: 5 critical
- Windows Server 2003: 5 critical, 1 moderate
- Windows Server 2008: 5 critical, 1 moderate
- Windows server 2008 R2: 5 critical, 1 moderate
- Windows Server 2012: 5 critical, 1 moderate
Deployment Guide
Microsoft posts deployment recommendations that system administrators and end users can follow. It is usually more a guideline for computer networks, considering that most desktop users make use of automated updates that install one after the other in a matter of minutes.
Microsoft recommends the following deployment priority for the July 2013 updates:
- Tier 1: MS13-055 update for Internet Explorer and MS13-053 update for Kernel Mode Driver, both having an aggregate severity of critical.
- Tier 2: MS13-054 for GDI+, MS13-052 for Microsoft .Net and Silverlight, MS13-056 for DirectShow and MS13-057 for Media Format Runtime, all with an aggregate severity of critical.
- Tier 3: MS13-058 updating Windows Defender with an important severity score.
Security Bulletins
Consult the Bulletin Summary page for additional information about the update.
- MS13-052 Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (2861561)
- MS13-053 Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2850851)
- MS13-054 Vulnerability in GDI+ Could Allow Remote Code Execution (2848295)
- MS13-055 Cumulative Security Update for Internet Explorer (2846071)
- MS13-056 Vulnerability in Microsoft DirectShow Could Allow Remote Code Execution (2845187)
- MS13-057 Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (2847883)
- MS13-058 Vulnerability in Windows Defender Could Allow Elevation of Privilege (2847927)
Non-security related updates
Microsoft releases non-security updates in addition to security updates. The following list contains all non-security related updates that Microsoft released in the last 30 days.
- Update for Windows 7 and Windows Server 2008 R2 (KB2574819)
- Language Packs for Windows RT (KB2607607)
- Update for Windows 7 and Windows Server 2008 R2 (KB2829104)
- Update for Microsoft .NET Framework 2.0 SP2 on Windows Server 2008 (KB2836945)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2855336)
- Update for Microsoft Camera Codec Pack for Windows 8 and Windows RT (KB2859541)
- Windows Malicious Software Removal Tool - July 2013 (KB890830)/Windows Malicious Software Removal Tool - July 2013 (KB890830) - Internet Explorer Version
- Update for Windows 7 and Windows Server 2008 R2 (KB2592687)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2822241)
- Windows Malicious Software Removal Tool - June 2013 (KB890830) - IE Version
- MS13-029: Security Update for Windows XP (KB2813347)
- MS13-048: Security Update for Windows 8, Windows Embedded Standard 7, Windows 7, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP (KB2839229)
- MS13-047: Cumulative Security Update for Internet Explorer 10 for Windows 7 (KB2838727)
How to download and install the July 2013 security updates
Most end users who run a computer with Windows will receive the updates via the operating system's automatic update feature. You may however want to check for updates manually using the Windows Update tool so that they get picked up right away as the update checker is only checking for updates in intervals and not constantly.
All Windows users from Vista forward can do so with a tap on the Windows key, typing Windows Update, and the selection of the first search result from the list.
If you have disabled automatic updates, run a computer without Internet connection, or want to deploy the updates on multiple systems, you may want to download them once individually so that you can deploy them on one or multiple machines.
This is also ideal to test the updates before you apply them on work related machines in productive environments.
You can download all updates individually from Microsoft's Download Center. There you also find the monthly ISO release that includes all security updates of the month. You can alternatively use third party programs that download Windows Updates for you.
Thank you very much for the montly report on Microsoft Updates :)
KB2847927 is failing for me on Windows 7, even after a reboot and re-trying it.
From the Setup event log: Package KB2847927 failed to be changed to the Staged state. Status: 0x80070005.
This is an update for Defender. Failing to update may point to a virus/botnet… blocking updates to Defender anti-malware application.
http://support.microsoft.com/kb/968003
In recent times I have noticed more and more failures with certain .net components from windows update and was downloading manually to fix the problem. This sometimes cured the installation issue but not always. There has been a rather irritating trend towards not only Microsoft updates but many newer softwares not wanting to install unless the firewall and/or antivirus package is temporarily suspended. This in essence is not only annoying but being bothered to include an exception in either or both softwares to allow these items to install isn’t always practical ergo it is easier to temporarily suspend them instead but obviously this has the affect of leaving a gaping security hole albeit temporary.
you said 6 but when i looked at windows update it said 19 which i installed and after restart checked for updates and it said one more update was available, windows malicious software removal tool for which i chose install which it did and as it said that it would report if any had been detected when the computer was next started i restarted. In addition 22 updates are shown in update history in between the last monthly update and todays. These 22 are all for windows defender. This is on Windows 8 Pro
A single bulletin can contain multiple updates.
Strangely I also got 21 updates for .Net framework 4 along with 6 others, several of which are not included in the above listings. Win 7 Pro.
Microsoft Patch Tuesday: July 2013
MS13-052/KB2861561 – Vulnerabilities in .NET Framework and Silverlight
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Server 2003, 2008, 2008 R2 and 2012, including Server Core installations; Microsoft Silverlight 5 and Silverlight 5 Developer Runtime when installed on Windows clients, Windows servers and Mac systems). This update addresses seven vulnerabilities in the .NET Framework and Silverlight on all supported versions of Windows, which could allow remote code execution if a trusted application uses a particular code pattern. It is rated critical for later versions of .NET Framework and important for some earlier versions. A restart may be required after installation.
MS13-053/KB2850851 – Vulnerabilities in Windows Kernel-Mode Drivers
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 and 2012, including Server Core installations). This update is rated critical and affects all supported versions and editions of Microsoft Windows. It addresses eight vulnerabilities, based on the way Windows handles True Type Font (TTF) files and objects in memory. An exploit could result in remote code execution if a user views shared content with embedded TTF files. A restart may be required after installation.
MS13-054/KB2848295 – Vulnerability in GDI+
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 and 2012, including Server Core installations; Microsoft Office 2003, 2007 and 2010, Visual Studio .NET 2003 and Lync 2010 and 2013). This update addresses one vulnerability in Windows, Office, Visual Studio, and Lync, which could allow remote code execution if a user views shared content that embeds True Type Font (TTF) files. It’s rated critical for Windows and Lync, and important for Office and Visual Studio. It does not affect Office 2013/2013 RT, nor Visual Studio versions 2005 and later. It also does not affect Communicator, Live Communications Server, Speech Server, Live Meeting Console, Lync 2010, Lync Web Access, or Lync for Mac 2011. A restart may be required after installation.
MS13-055/KB2846071 – Cumulative Security Update for Internet Explorer
(Internet Explorer 6, 7, 8, 9 and 10 running on all supported versions and editions of Microsoft Windows). This update addresses seventeen vulnerabilities that impact all supported versions of IE, the most severe of which could allow remote code execution upon viewing of a specially crafted web page in IE. It needs to be applied on all machines except those running Server Core installations. Rating is critical for Windows clients and moderate for Windows servers. A restart is required after installation.
MS13-056/KB2845187 – Vulnerability in Microsoft DirectShow
(Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008, 2008 R2 SP1 and 2012). This update addresses one vulnerability in the way the DirectShow component opens GIF files, which could allow remote code execution if a specially crafted GIF image file is opened. This vulnerability does not affect Windows RT, Windows Server 2008, and 2008 R2 for Itanium-based systems, or Server Core installations. A restart may be required after installation.
MS13-057/KB2847883 – Vulnerability in Windows Media Format Runtime
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 SP1 and 2012). This update addresses one vulnerability in the way Windows Media Player opens certain media files, which could allow remote code execution if a specially crafted media file is opened. This vulnerability does not affect Windows Server 2008 and 2008 R2 for Itanium-based systems, or Server Core installations. A restart may be required after installation.
MS13-058/KB2847927 – Vulnerabilities in Windows Defender
(Windows 7 and Windows Server 2008 R2). This update addresses one vulnerability in Windows Defender running on Windows 7 or Windows Server 2008 R2 and the way it uses pathnames, which could allow elevation of privilege by which an attacker could take control of the system. However, the attacker must obtain valid logon credentials in order to exploit the vulnerability, thus it’s rated important. No restart is required.
Other Updates/Releases
KB2607607 – Language packs for Windows 8 and Windows RT. New language packs are available for Windows 8/RT for the following languages: Turkmen, Maori, Kannada, Norwegian, Konkani, Irish, Maltese, Urdu, Tatar, Assamese, Bangla.
KB2829104 – Teluga characters not displayed correctly in Nirmala UI font. (Windows 7 and Windows Server 2008 R2). This update addresses a problem of incorrect character display in Word 2013 on a computer running Windows 7 or Server 2008 R2.
KB2836945 – Update for .NET Framework 2.0 SP2. (Windows Server 2008 SP2). This update resolves two issues with ASP.NET based web pages.
KB2855336 – Update Rollup. (Windows 8, Windows RT and Server 2012). This update addresses an issue that can result in SD cards no longer being detected if the system transitions between different power states, along with nineteen other issues affecting these operating systems.
KB2859541 – Update to support new camera models. (Windows 8, Windows RT). This update adds codecs to provide support for seventeen new models of cameras from Canon, Epson, Nikon, Olympus, Panasonic, Pentax and Sony.
KB890830 – Windows Malicious Software Removal Tool – July 2013 (Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008, 2008 R2, and 2012). This is the regular monthly updated version of the Malicious Software Removal Tool (MSRT).
Updates since the last Patch Tuesday
There was only one out-of-band update released since the last Patch Tuesday, which came out on June 25, and that was an update to the MSRT, which is now superseded by the July edition of the tool.
Having problems with Windows Updates ?
Try CheckSUR: System Update Readiness Tool to repair Windows Update
http://www.thewindowsclub.com/checksur-system-update-readiness-tool
Follow up on Patch Tuesday Problems :
http://pcsupport.about.com/b/2013/07/09/patch-tuesday.htm
The forum is already filled with problems after the July updates :
Crashes, BSODs, Applications stopped responding, Browsers not running…..disconnected Steam, Facebook, ….
“How to download and install the June 2013 security updates” ?
It’s July 2013 :-)
Thanks, damn copy and paste ;)
I had 16 updates.
KB2840628 failed,but it was offered again and it was installed successfully.
Thanks again Martin for guiding me true this mouth 14 Microsoft 7/MS 2010 updates.
I see that your system is lucky to count 33 updates is that because, you have a Microsoft 8.1?
No that was on a Windows 7 64-bit system.