Microsoft Security Bulletins for January 2013 Released

Here’s a quick summary of this month’s Microsoft Security Bulletins …

It is the first Microsoft patch day of the new year  and we continue our monthly series where we look at the security bulletins that get released, how the bulletins are best deployed and what you need to know besides that.  Microsoft has released a total of seven bulletins of which two have a maximum severity rating of critical, the highest possible rating while the remaining five bulletins have received a severity rating of important.

What that means? There is at least one Microsoft product version that is affected by that severity. When you look at the products you will notice that six of the seven bulletins fix issues in Microsoft’s Windows operating system, two in Microsoft’s .Net Framework and Microsoft Server Software, and one in Microsoft Office and Developer Tools.

The January 2013 Security Bulletins

  • MS13-001 – Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution (2769369) – This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a print server received a specially crafted print job. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems connected directly to the Internet have a minimal number of ports exposed.
  • MS13-002 – Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (2756145) – This security update resolves two privately reported vulnerabilities in Microsoft XML Core Services. The vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes the user to the attacker’s website.
  • Ms13-003 – Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege (2748552) – This security update resolves two privately reported vulnerabilities in Microsoft System Center Operations Manager. The vulnerabilities could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL. An attacker would have no way to force users to visit such a website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the affected website.
  • MS13-004 – Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (2769324) – This security update resolves four privately reported vulnerabilities in the .NET Framework. The most severe of these vulnerabilities could allow elevation of privilege if a user views a specially crafted webpage using a web browser that can run XAML Browser Applications (XBAPs). The vulnerabilities could also be used by Windows .NET applications to bypass Code Access Security (CAS) restrictions. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-005 – Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privilege (2778930) – This security update resolves one privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker runs a specially crafted application.
  • MS13-006 – Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (2785220) – This security update resolves a privately reported vulnerability in the implementation of SSL and TLS in Microsoft Windows. The vulnerability could allow security feature bypass if an attacker intercepts encrypted web traffic handshakes.
  • MS13-007 – Vulnerability in Open Data Protocol Could Allow Denial of Service (2769327) – This security update resolves a privately reported vulnerability in the Open Data (OData) protocol. The vulnerability could allow denial of service if an unauthenticated attacker sends specially crafted HTTP requests to an affected site. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

Overview of affected Windows systems and their severity rating.

  • Windows XP SP 3 – 1 critical, 2 important
  • Windows Vista SP2 – 1 critical, 4 important
  • Windows 7 – 2 critical, 4 important
  • Windows 8 – 1 critical, 4 important
  • Windows RT – 1 critical, 4 important
  • Windows Server 2003 – 2 important, 1 moderate
  • Windows Server 2008 – 4 important, 1 moderate
  • Windows Server 2008 R2 – 1 critical, 4 important, 1 moderate
  • Windows Server 2012 – 4 important, 1 moderate

Deployment guide and severity index

bulletin deployment guide january 2013

severity index january 2013

Revised advisories

Microsoft has revised two advisories this month. First Security Advisory 2755801 which addresses the latest issues in Adobe Flash Player for Internet Explorer 10. It is a cumulative update that contains all previous updates for Flash Player.

The second revised advisory is Security Advisory 973811 which adds a Fix It that automatically “sets Windows XP and Server 2003 systems to only allow NTLMv2″.

How to download and install the January 2013 updates

You have a couple of options to download and install the new security updates. If you have automatic updates enabled you do not really need to do anything. I’d still suggest you open Windows Update to check for new updates right away as it can take a while before Windows picks those up manually.

windows updates january 2013

If you do not have automatic updates enabled you can download the updates from Microsoft’s Download Center. Here you find each update listed that was released today, as well as a monthly security ISO DVD that contains them all.

You may want to consider the second option if you need to deploy the updates on multiple machines as you need to download them once only using the method.

The post Microsoft Security Bulletins For January 2013 Released appeared first on gHacks Technology News | Latest Tech News, Software And Tutorials.

Link to Original Content

Tags: , , , ,

Comments are closed.