May 2013 - Patch Tuesday, the "yet another IE 0-day edition"

Last updated at Mon, 24 Jul 2017 17:15:37 GMT

Going into this patch Tuesday the big question was: will MS13-038 address the “Department of Labor IE 0-day (CVE-2013-1347)”? Microsoft had hinted strongly that a patch was on the way, with the unspoken caveat that there is always a risk of a it getting pulled at the last minute for quality issues. As it turns out, MS13-038 is what was expected and should address the “Department of Labor IE 0-day,” which is great. So hooray for that. Start patching with this one and follow it up with MS13-037 (the other IE critical patch).

On one level, this is Microsoft at their security best. They responded promptly to a publically disclosed issue and got the fix out in the next scheduled wave of patches. On another level, this issue, along with the fact that every single month we see another round of critical Internet Explorer patches, highlights what is wrong with Microsoft's patching and support models. Compare this to Google's Chrome browser, which quietly patches itself as fixes become available and has no down-level supported “old version,” which exposes millions of their users to risk. Or compare it to Firefox, which has straddled the fence with periodic Long-Term-Support (LTS) releases for the risk adverse IT departments but now defaults it's users to the same model as Chrome. Microsoft is tying up resources in maintaining the older versions and extending the window by which users are exposed to risk with their opt-in updates and periodic patching model.

The other notable this month is MS13-039, which is a Denial of Service affecting the http client and server which is part of Windows. While DoS attacks are generally considered second (or third) tier as far as risk, this could potentially be very disruptive to an organization, since many remote services and Active Directory integrations rely on http.sys.

The vulnerability in Lync requires a victim to choose to view a malicious presentation and the issue in .NET does not affect the default configuration. Neither should be ignored, but neither is critical.

Otherwise, there is a whole pile of CVEs in Microsoft's wayward child of the Office family, Publisher, which hardly anyone is going to care about. A vulnerability in Word and one in Visio, and the usual important but not crucial monthly patch to the Windows Kernel drivers.