Microsoft Security Bulletins for April 2013 Overview

Here’s a quick summary of what you’ll find in this month’s Microsoft Security Bulletin …

Microsoft a couple of minutes ago  has released security patches for several of its products as part of this month’s patch day.  A total of nine security bulletins affecting one or multiple Microsoft products have been released. Products affected by security issues are Microsoft Windows, Internet Explorer, Microsoft Office, Microsoft Security Software and Microsoft Server Software.

When we look at the maximum severity rating, we see that there are two bulletins with the highest severity rating of critical while the remaining seven are all listed as important. What this means is that there is at least one product affected by the highest severity rating while others may have received the same, a lower rating, or no rating at all if they are not affected by the vulnerability.

Operating system distribution

As always, we being by looking at at the list of security bulletins sorted by operating systems. First, the Windows desktop operating systems starting with Windows XP and then the server operating systems starting with Windows Server 2003. Windows XP is most severely affected this month while Windows 8 is the least affected (not counting Windows RT ). As far as server operating systems go we conclude that the bulletins are most severe on the older systems while less severe on newer versions.

  • Windows XP: 2 critical, 3 important, 1 low
  • Windows Vista: 2 critical, 2 important, 1 moderate, 1 low
  • Windows 7:  2 critical, 2 important, 1 low
  • Windows 8:  1 critical, 2 important, 1 low
  • Windows RT: 1 critical, 2 important
  • Windows Server 2003: 4 important, 2 moderate
  • Windows Server 2008: 3 important, 3 moderate
  • Windows server 2008 R2: 3 important, 2 moderate
  • Windows Server 2012: 3 important, 1 moderate

Deployment Guide

You can use the deployment priority guide to determine the order in which the security patches should be installed on affected systems. This is helpful for system administrators and network admins who need to patch multiple PCs running a Microsoft product. It may also be helpful for end users who test patches thoroughly before they are installed on productive systems.

Microsoft suggests to start deploying the two critical updates first, MS13-028 and MS13-029, then the following group of four important updates, MS13-036, MS13-031, MS13-034 and MS13-032, before the remaining three important updates are deployed (MS13-033, MS13-036 and MS13-030).

bulletin deployment guide april 2013

severity exploitability guide april 2013

The April 2013 Security Bulletins in detail

  • MS13-028 – Cumulative Security Update for Internet Explorer (2817183) – This security update resolves two privately reported vulnerabilities in Internet Explorer. These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-029 – Vulnerability in Remote Desktop Client Could Allow Remote Code Execution (2828223) –
    This security update resolves a privately reported vulnerability in Windows Remote Desktop Client. The vulnerability could allow remote code execution if a user views a specially crafted webpage. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
  • MS13-030 – Vulnerability in SharePoint Could Allow Information Disclosure (2827663) – This security update resolves a publicly disclosed vulnerability in Microsoft SharePoint Server. The vulnerability could allow information disclosure if an attacker determined the address or location of a specific SharePoint list and gained access to the SharePoint site where the list is maintained. The attacker would need to be able to satisfy the SharePoint site’s authentication requests to exploit this vulnerability.
  • MS13-031 – Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (2813170) – This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
  • MS13-032 – Vulnerability in Active Directory Could Lead to Denial of Service (2830914) – This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service.
  • MS13-033 – Vulnerability in Windows Client/Server Run-time Subsystem (CSRSS) Could Allow Elevation of Privilege (2820917) – This security update resolves a privately reported vulnerability in all supported editions of Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008. The vulnerability could allow elevation of privilege if an attacker logs on to a system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
  • MS13-034 – Vulnerability in Microsoft Antimalware Client Could Allow Elevation of Privilege (2823482) – This security update resolves a privately reported vulnerability in the Microsoft Antimalware Client. The vulnerability could allow elevation of privilege due to the pathnames used by the Microsoft Antimalware Client. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. The attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users.
  • MS13-035 – Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege (2821818) – This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow elevation of privilege if an attacker sends specially crafted content to a user.
  • MS13-036 – Vulnerabilities in Kernel-Mode Driver Could Allow Elevation Of Privilege (2829996) – This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Microsoft Windows. The most severe of these vulnerabilities could allow elevation of privilege if an attacker logs on to the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the most severe vulnerabilities.

Non-security related updates

Microsoft has released the following non-security updates for various products as well. Consult the list below to find out more about those updates:

  • Update for Windows Embedded Standard 7 (KB2533552)
  • Update for Windows 7 and Windows Server 2008 R2 (KB2799926)
  • Update for Windows 8, Windows RT, and Windows Server 2012 (KB2800033)
  • Update for Windows 8, Windows RT, and Windows Server 2012 (KB2822241)
  • Update for Windows 7, Windows Server 2008 R2, and Windows Server 2008 (KB2823180)
  • Windows Malicious Software Removal Tool – April 2013 (KB890830)/Windows Malicious Software Removal Tool – April 2013 (KB890830) – Internet Explorer Version
  • Language Packs for Windows RT (KB260760)
  • Internet Explorer 10 for Windows 7 and Windows Server 2008 R2 (KB2718695)
  • Windows 7 Service Pack 1 (KB976932)

How to download and install the April 2013 security updates

Windows updates can be installed using the operating system’s automatic update feature which is the most comfortable way and the preferred option for the majority of home users.

On Windows 8 you tap on the Windows key to get to the start screen interface, enter Windows update, select Settings on the Charms Bar, and then Check for updates in the results listing.

Here you can click on check for updates to run a manual update check. Windows should pick up the new updates right away so that you can download and install them to your system.

windows update april 2013

Updates are also available on Microsoft’s Download Center where they can be downloaded as standalone updates or in form of a monthly security ISO that contains all security patches of a particular month.

Link to Original Content

Tags: , , , , ,

Comments are closed.