Another month, another set of Microsoft Patch Tuesday security updates for Internet Explorer.
For what seems to be the umpteenth month in a row, Microsoft will patch its browser, one of three critical updates expected to be shipped on Tuesday among eight bulletins.
While IE patches remain a constant in 2013, IT administrators and network managers also need to be aware of a critical set of patches for Microsoft Exchange Server 2013, as well as 2010 and 2007, both of which are on Service Pack 3.
The critical bugs in IE, Exchange Server and the Windows OS are all rated critical because they are remotely exploitable; it’s unknown today how many are being actively exploited.
“Across the board, all supported versions of Microsoft Exchange Server are affected by a critical vulnerability,” said Tripwire security researcher Craig Young. “If I remember correctly, the last time we saw this was back in February when it was revealed that the transcoding service used to render content for Outlook Web Access sessions could be abused for remote code execution in the context of that service. Exchange servers are invariably connected to the Internet in some form or another so it’s going to be urgent to patch this one post-haste.”
MS13-012, released in February, patched vulnerabilities in the Exchange WebReady Document Viewing feature; if a user viewed a malicious file through OWA in a browser, an attacker could run code on the Exchange server remotely or crash the server.
Ross Barrett, senior manager of security engineering at Rapid7, said the Exchange patches should be of the greatest concern to organizations.
“If this is truly a remotely exploitable issue that does not require user interaction, then it’s a potentially wormable issue and definitely should be put at the top of the patching priority list,” Barrett said.
IE, meanwhile, is about to be patched for the eighth time this year including an out-of-band patch in January to address exploits being used in a number of watering hole attacks.
The third critical bulletin addresses vulnerabilities in Windows XP and Windows Server 2003 that are remotely exploitable.
“For some organizations this patch may be of less concern, if they have already moved to newer Windows versions,” Barrett said.
The remaining bulletins are rated “Important” by Microsoft based on whether they are remotely exploitable and whether exploits are in the wild. All of the “Important” bulletins patch vulnerabilities in Windows; two of them are privilege escalation bugs, two are denial-of-service vulnerabilities and one information disclosure flaw.