Microsoft Security Bulletins For August 2013 overview
Welcome to our analysis of Microsoft's Patch Tuesday of August 2013. The company has released a total of eight bulletins this time that patch vulnerabilities in Microsoft Windows, Microsoft Server Software, and Internet Explorer.
Three of the bulletins have received a maximum severity rating of critical, the highest rating available, while the remaining five bulletins have all received one of important, the second highest rating.
What this means is that there is at least one product that is affected by a vulnerability this way, while other products may have received the same or a lower severity rating.
The eight bulletins that Microsoft is releasing fix a total of 23 different vulnerabilities in Microsoft products.
Operating System Distribution
This section looks at individual operating systems and how each one is affected by vulnerabilities that Microsoft fixed on this Patch Tuesday in August 2013.
Microsoft has released a total of eight bulletins for various client and server operating systems, and other software such as Microsoft Office or Internet Explorer. While Internet Explorer is included in Windows, it is handled separately by Microsoft in regards to vulnerabilities.
Windows XP is taking the crown this time as it is affected by more critical vulnerabilities than all other client operating systems. All other systems, Vista, 7 and 8, share the same vulnerability ratings.
You find the same distribution on the server side, with Windows Server 2003 affected by a single critical vulnerability, while newer server operating systems share the same vulnerability scores.
- Windows XP: 2 critical, 2 important
- Windows Vista: 1 critical, 3 important
- Windows 7:Â 1 critical, 3 important
- Windows 8:Â 1 critical, 3 important
- Windows RT: 1 critical, 2 important
- Windows Server 2003: 1 critical, 2 important, 1 moderate
- Windows Server 2008: 4 important, 1 moderate
- Windows server 2008 R2: 4 important, 1 moderate
- Windows Server 2012: 4 important, 1 moderate
Deployment Guide
Microsoft releases a deployment priority guide each month to aid system administrators and users in prioritizing updates. It is usually the case that critical updates should be deployed first before other updates are deployed.
Microsoft suggests the following deployment priority:
- Tier 1: MS13-059 update for Internet Explorer and MS13-060 which updates the Unicode Scripts Processor.
- Tier 2: MS13-061, an update for Exchange Server, Ms13-062 updating Remote Procedure Call, and Ms13-063 patching Windows Kernel.
- Tier 3: Ms13-066 an update for Active Directory Federation Services, Ms13-064 updating Windows NAT driver, and Ms13-065 updating ICMPv6.
Security Bulletins
- MS13-059 Cumulative Security Update for Internet Explorer (2862772)
- MS13-060 Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (2850869)
- MS13-061 Vulnerabilities in Microsoft Exchange Server Could Allow Remote Code Execution (2876063)
- MS13-062 Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (2849470)
- MS13-063 Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2859537)
- MS13-064 Vulnerability in Windows NAT Driver Could Allow Denial of Service (2849568)
- MS13-065 Vulnerability in ICMPv6 could allow Denial of Service (2868623)
- MS13-066 Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (2873872)
Non-security related updates
Security updates do get prioritized by Microsoft. It pays to look at the list of non-security updates that Microsoft has released as they can fix non-security related issues. This can improve the stability of a system, its performance, fix bugs in programs or features, or improve the system in other ways.
- Update for Windows 8 and Windows RT (KB2856373)
- Update for Windows 8, Windows RT, and Windows Server 2012 (KB2862768)
- Update for Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP (KB2863058)
- Windows Malicious Software Removal Tool - August 2013 (KB890830)/Windows Malicious Software Removal Tool - August 2013 (KB890830) - Internet Explorer Version
- Update for Root Certificates for Windows 8, Windows 7, Windows Vista, and Windows XP (KB931125)
- Language Packs for Windows RT (KB2607607)
- Language Packs for Windows RT and Windows 8 (KB2607607)
How to download and install the August 2013 security updates
Most Windows users have automatic updates enabled on their systems, which means that important updates do get downloaded and installed automatically on their systems. While that is the case, it is often a good idea to check for updates manually shortly after this article goes live as you may have to wait hours and sometimes even days before the updates get installed otherwise.
Most Windows users can do the following to check for updates.
- Tap on the Windows-key and type Windows Update in the form that opens.
- Select Windows Update from the list of results.
- Click on check for updates there to run a manual update check.
- Look at the updates found and click on install updates afterwards.
- It is usually required to restart the PC in the end to complete the process.
Experienced users and system administrators do not install updates right away. The core reason for this is that updates may include bugs or issues that Microsoft's quality testing has missed. That's why updates can also be downloaded from Microsoft directly.
This is not only useful when you want to test updates in a safe environment, a virtual machine or test system for example, but also when you need to deploy them on a larger scale. If you are using Windows Update to download updates, you are wasting bandwidth as each PC is downloading the same updates (provided they are running the same version of Windows).
You can download all patches from Microsoft's Download Center either individually, or as a monthly ISO image. An alternative to that are third party tools that you can use to download patches and updates to your system.
Advertisement
As always, thank you very much Martin for your article and Ilev for your detailed comment post on the month Microsoft Updates :)
MICROSOFT FIXES ASLR/DEP BYPASS BUG
…http://threatpost.com/microsoft-fixes-aslrdep-bypass-bug/101983?utm_source=Newsletter_081413&utm_medium=Email+Marketing&utm_campaign=Newsletter&CID=&CID=
Martin, What is your server’s date and time ? it seems 7 hours back.
Relax, You Don’t Have to Fix Every Vulnerability
Here’s an idea: stop fixing every vulnerability you read about. The best thing to do, it turns out, is to look at the vulnerabilities that are in both Metasploit and the Exploit Database and fix those. That gives you the highest chance of fixing bugs that are likely to be used in an actual attack…
http://blog.risk.io/2013/08/stop-fixing-all-the-things-bsideslv/
Microsoft Patch Tuesday: August 2013
MS13-059/KB2862772 – Cumulative Security Update for Internet Explorer (IE 6, 7, 8, 9 and 10 on Windows XP, Vista, Windows 7, Windows 8, Windows RT and Server 2003, 2008, 2008 R2 and 2012, all editions). This update is rated critical for client and important for server operating systems and affects all listed versions of the Internet Explorer web browser and all currently supported Windows operating systems (server core installations excluded). It addresses eleven different vulnerabilities that stem from the way IE handles objects in memory, some of which allow remote code execution if a specially crafted malicious web page is visited. A restart is required after installation.
**
MS13-060/KB2850869 – Vulnerability in Unicode Scripts Processor Could Allow Remote Code Execution (Windows XP, Server 2003). This update is rated critical XP and Server 2003. It addresses one vulnerability in Unicode Scripts specifically if the Indic language pack (Bangali font) is installed. A victim could browse to a malicious webpage and be attacked. A restart may not be required after installation.
**
MS13-061/KB2876063 – Vulnerability in Exchange Server Could Allow Remote Code Execution (Exchange 2007, 2010 and 2013). This update is rated Critical for Exchange Servers. It addresses three vulnerabilities in WebReady Document Viewing and Data Loss Prevention features of Microsoft Exchange Server. The vulnerability could allow remote code execution in the security context of the transcoding service on the Exchange server if a user previews a specially crafted file using Outlook Web App (OWA). It specially addresses the Oracle Outside In issues included in a recent Oracle security update. A restart is not required after installation.
**
MS13-062/KB2849470 – Vulnerability in Remote Procedure Call Could Allow Elevation of Privilege (Windows Vista, Windows 7, Windows 8, Windows RT, Server 2008, 2008 R2, and 2012, including server core installation). This update is rated Important for all operating systems. It addresses vulnerability by correcting the way that Microsoft Windows handles asynchronous RPC messages. The vulnerability could allow elevation of privilege if an attacker sends a specially crafted RPC request. It will be difficult to trigger this attack reliably. A restart is required after installation.
**
MS13-063/KB2859537 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (32bit versions of Windows XP, Windows Server 2003, and Windows 8; and all supported editions of Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2). This update is rated important for impacted operating systems. It addresses vulnerabilities by changing how the Windows kernel validates memory address values and by modifying functionality to maintain the integrity of ASLR. The update also addresses a recent CanSecWest pwn2own exploit. A restart is required after installation.
**
MS13-064/KB2849568 – Vulnerability in Windows NAT Driver Could Allow Denial of Service (Windows Server 2012). This update is rated important for Windows Server 2012. It addresses one vulnerability in the Windows NAT Driver in Microsoft Windows. The vulnerability could allow denial of service if an attacker sends a specially crafted ICMP packet to a target server that is running the Windows NAT Driver service. This was first introduced in Windows Server 2012. A restart is required after installation.
**
MS13-065/KB2868623 – Vulnerability in ICMPv6 could allow Denial of Service (Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT) The update is rated important for impacted systems. It addresses one vulnerability that could allow a denial of service if the attacker sends a specially crafted ICMP packet to the target systems. A restart is required after installation.
**
MS13-066/KB2873872 – Vulnerability in Active Directory Federation Services Could Allow Information Disclosure (Windows Server 2003, 2008, 2008 R2 and 2012) The update is rated important for impacted systems. It addresses one vulnerability that could reveal information pertaining to the service account used by AD FS leading to attempted logins and denial of service attacks. A restart is required after installation.
Other Updates/Releases
There were non-security updates released for August, including the regular monthly update for the Malicious Software Removal Tool (MSRT).
**
KB2856373 – Update to improve protection functionality in Windows Defender (Windows 8, Windows RT, Server 2012). This update improves protection functionality in Windows Defender A restart is required.
*
KB2862768 – Windows RT, Windows 8, and Windows Server 2012 update rollup: August 2013 (Windows 8, Windows RT and Server 2012). This update resolves an issue in which some Micro SD cards are not detected on Windows 8 tablets as well as several other issues. A restart is required after installation.
**
KB2863058 – August 2013 cumulative time zone update for Windows operating systems (Windows 8, Windows RT, Windows Server 2012, Windows Embedded Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP). This update contains time zone fixes impacting Libya, Israel, Pacific SA, Paraguay, West Asia, and Morocco. No restart is required after installation.
*
KB931125 – Update for Root Certificates (Windows XP [manually]). This item updates the list of root certificates on your computer to the list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. A restart is required after installation.
**
KB2767849 – 2007 Office system update: August 13, 2013 (Office 2007). This item fixes an issue where Office 2007 cannot add a digital signature to a document. A restart is not required after installation.
*
KB2861855 – Updates to Improve Remote Desktop Protocol Network-level Authentication (Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2]. The update adds defense-in-depth measures to the Network Level Authentication (NLA) technology within the Remote Desktop Protocol in Microsoft Windows. A restart is not required after installation.
**
KB890830 – Windows Malicious Software Removal Tool, August 2013. This is the monthly release of the latest version and definitions for the MSRT, which checks your computer for specific prevalent malware.
Rereleased updates since Patch Tuesday
Microsoft has rereleased two updates since last Patch Tuesday to fix issues associated with the updates:
**
MS13-052/KB2861561 – Vulnerabilities in .NET Framework and Silverlight Could Allow Remote Code Execution (Windows Server 2003, 2008, 2008 R2 and 2012) The Bulletin revised to rerelease the 2840628, 2840632, 2840642, 2844285, 2844286, 2844287, and 2844289 updates. Customers should install the rereleased updates that apply to their systems. A restart is required after installation.
**
MS13-057/KB2847883 – Vulnerability in Windows Media Format Runtime Could Allow Remote Code Execution (Windows 7, Windows Server 2008 R2,) The Bulletin revised to rerelease the 2803821 update due to issues with WMV files and certain applications. Customers should install the rereleased updates that apply to their systems. A restart may be required after installation.
Thanks, much appreciated.
Thanks
Hik your severity and bulletin images link to the same small files, normally these are large and usable, can you fix please ?
You can download larger versions from this article: http://blogs.technet.com/b/msrc/archive/2013/08/13/leaving-las-vegas-and-the-august-2013-security-updates.aspx?Redirected=true
“How to download and install the *July* 2013 security updates”
Corrected, damn copy and paste.
Hallo Martin, Thanks for your monthly update which who I understand what I am doing when I am updating. Thru your guiding explanation it even makes sense! :-)
This mouth white the new page style (the white of the page is just white enough and the letters are nice/calming to read) on main 22 inch monitor I am enjoying your website even more.
There is only one thing I am wondering about the thumbnail (picture) from this page on the page before this. The page with the short summery of what’s in the article’s.
Why I do not understand why do you need those thumbnails? There to small to really show me anything from this page, so personally up-til right now I think there a waste of effort.