Microsoft

It's Microsoft Patch Tuesday: January 2013

Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's January 2013 patches in your organization.

The world didn't end on December 22, and you know what that means: you're going to have to keep patching your systems every month for the foreseeable future. Here's hoping that by now, you've fully recovered from all those holiday dinners and New Year's celebrations and are ready to tackle whatever 2013 has to throw at you.

Seven is considered by some to be a lucky or even divine number. Apparently Microsoft likes it (and why not? Windows 7 was a big hit); once again they've given us seven security bulletins. Most affect various versions of the Windows operating systems, but only two are rated "critical" this time; the rest are tagged as "important."

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

MS13-001/KB2769369 - Vulnerability in Windows Print Spooler Components Could Allow Remote Code Execution (Windows 7 and Windows 7 SP1, all editions of Server 2008 R2 including Core installation). This critical update addresses one vulnerability present in Windows 7 and Server 2008 R2 that could be exploited to allow an attack to remotely execute code on the computer by sending a specially crafted print job to a print server. It does not affect other versions of Windows. If you're running Server 2008 R2 in Server Core installation and the Printing-ServerCore-Role setting is not enabled, you won't be offered this update. Proper firewall configuration can help mitigate this vulnerability. This update requires you to restart the system.

MS13-002/KB2756145 - Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (Windows XP SP3, Windows XP Pro x64 SP2, all editions of Windows Server 2003, Vista SP2, all editions of Server 2008, Windows 7 and Windows 7 SP1, all editions of Server 2008 R2 including Core installation, Windows 8, Server 2012 including Core installation, Windows RT, Microsoft Office 2003 SP3, 2007 SP2 and 2007 SP3, Microsoft Word Viewer, Microsoft Office Compatibility Pack SP 2 and SP3, Microsoft Expression Web SP 1 and SP2, all editions of Microsoft SharePoint Server 2007 SP2 and SP3, Microsoft Groove Server 2007 SP 2 and SP3). This critical update addresses two vulnerabilities in Microsoft XML Core Services. The list of affected software is long and complicated; there are a number of combinations of XML Core Services 3.0 and operating system versions and application or server software that are not affected (see the full security bulletin for this list). Further, the impact ranges from moderate to critical, depending on the OS/software affected. If exploited, the vulnerability could enable an attacker to remotely execute code on the computer, but the user would have to use IE to visit the attacker's specially crafted website, so proper security precautions (e.g., not clicking links in email or instant messages) will help mitigate this vulnerability. This update may require you to restart the system.

MS13-003/KB2748552 - Vulnerabilities in System Center Operations Manager Could Allow Elevation of Privilege (Microsoft System Center Operations Manager 2007 SP 1, SCOM 2007 R2). This update addresses two vulnerabilities that are confined to SCOM 2007. SCOM 2012 is not affected. The vulnerabilities could be exploited to allow an attacker to obtain elevated privileges if a user could be convinced to visit a specially crafted web site. As above, the risk is reduced by proper security practices. The update for SCOM 2007 R2 is available from the Microsoft Download Center; the update for SCOM 2007 SP1 is not yet available but is expected to be released when testing is completed. This update does not require you to restart the system.

MS13-004/KB2769324 - Vulnerabilities in .NET Framework Could Allow Elevation of Privilege (Windows XP SP3, Windows XP Pro x64 SP2, all editions of Windows Server 2003, Vista SP2, all editions of Server 2008, Windows 7 and Windows 7 SP1, all editions of Server 2008 R2 including Core installation, Windows 8, Server 2012 including Core installation, Windows RT). This important update affects virtually all currently supported editions of Windows and addresses four vulnerabilities in all versions of the .NET Framework, including an elevation of privilege issue and a vulnerability that allows bypass of Code Access Security restrictions. This update may require you to restart the system.

MS13-005/KB2778930 - Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of Privileges (Vista SP2, all editions of Windows Server 2008 including Core installation, Windows 7 and Windows 7 SP1, all editions of Server 2008 R2 including Core installation, Windows 8, Server 2012 including Core installation, Windows RT). This important update addresses one vulnerability in virtually all supported versions of Windows with the exception of Windows XP SP3 and Server 2003 SP2. The vulnerability is related to the way the Windows kernel-mode driver handles window broadcast messages and could be used to gain elevated privileges by an attacker who runs a specially crafted application. This update requires you to restart the system.

MS13-006/KB2785220 - Vulnerability in Microsoft Windows Could Allow Security Feature Bypass (Vista SP2, all editions of Windows Server 2008 including Core installation, Windows 7 and Windows 7 SP1, all editions of Server 2008 R2 including Core installation, Windows 8, Server 2012 including Core installation, Windows RT). This important update addresses one vulnerability in SSL/TLS in virtually all supported versions of Windows with the exception of Windows XP SP3 and Server 2003 SP2. An exploit could result in the attacker bypassing security after intercepting encrypted web traffic handshakes. The update requires you to restart the system.

MS13-007/KB2769327 - Vulnerability in Open Data Protocol Could Allow Denial of Service (Windows XP SP3, Windows XP Pro x64 SP2, all editions of Windows Server 2003, Vista SP2, all editions of Server 2008, Windows 7 and Windows 7 SP1, all editions of Server 2008 R2 including Core installation, Windows 8, Server 2012 including Core installation). This important update affects the .NET Framework and all currently supported versions of Windows with the exception of Windows RT. It addresses one vulnerability in the Open Data protocol (OData) that could enable an attacker to create a DoS attack by sending a special HTTP request to an affected site. The vulnerability is mitigated by proper firewall configuration. This update may require you to restart the system.

Other Updates/Releases

This is a fairly heavy month for non-security updates, with twelve updates - but light in comparison to the eighteen updates we had in December.

KB2796096 - Update for Internet Explorer Flash Player for Windows 8, Windows RT, and Windows Server 2012. Although listed in the "Non-security updates" on Microsoft's web site, this update addresses security vulnerabilities in Adobe Flash Player in IE 10, which are described in Adobe's Security Bulletin APSB13-01.

KB2726535 - Update for Windows 7, Windows Server 2008 R2, and Windows Server 2008. This update adds the Republic of South Sudan to the list of countries in the named operating systems.

KB2750147 - Update for Microsoft .NET Framework 4.5 on Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista. This update fixes some reliability, compatibility, performance and stability issues in .NET Framework 4.5 for the named operating systems.

KB2750149 - Update for Windows 8, Windows RT, and Windows Server 2012. Like the update above, this fixes some reliability, compatibility, performance and stability issues in .NET Framework 4.5 for the named operating systems.

KB2763674 - Update for Windows Server 2008 and Windows Vista. This update fixes an issue where you cannot run an application that is signed with a SHA-256 certificate on a computer running the named operating systems.

KB2770445 - Update for Microsoft .NET Framework 4.5 on Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista). This update resolves an issue in the Microsoft .NET Framework 4.5 (different from the above update) that causes digital signatures on files produced and signed by Microsoft to expire prematurely.

KB2770446 - Update for Microsoft .NET Framework 4.5 Language Packs for x64-based Systems. This update is like the one above that addresses prematurely expiring signatures, for x64-based systems.

KB2773072 - Update for Windows 7. This update makes Windows 7 compliant with game ratings issued by various countries and adds new rating systems in Australia, Brazil, South Africa and New Zealand.

KB2785094 - Update for Windows 8, Windows RT, and Windows Server 2012. This is a cumulative update for the named operating systems that resolves performance and reliability issues related to video playback quality when streaming from Windows Media Center to Xbox consoles, Bluetooth audio playback quality and an issue that prevents you from installing a Windows Store app update if the app is installed to multiple accounts.

KB2786081 - Update for Windows 7 and Windows Server 2008 R2. This update fixes an issue wherein IE 10 doesn't save credentials for a website after you log off or restart a computer running the named operating systems.

KB2786400 - Update for Windows 7 and Windows Server 2008 R2. This update changes the default settings of the shaping behavior for Arabic text rendering in the named operating systems.

KB890830 - Windows Malicious Software Removal Tool - January 2013 and Windows Malicious Software Removal Tool - January 2013 Internet Explorer Version. This is the monthly update to the MSRT.

Updates since the last Patch Tuesday

There was only one update issued between the December and January patch Tuesday releases:

KB2798897 (January 3) - Update for Windows. This update was an out-of-band advisory that revokes the trust of fraudulent digital certificates.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

11 comments
Peagravel
Peagravel

Failed to load on XP Home sp-3.

sightsandsounds
sightsandsounds

Im wandering around in my new windows 8 PC and I cant get out. I can see a big bright ray of light going up into the reaches but I cant get to it.

jana.squires
jana.squires

Can't confirm just yet but I strongly believe that one of these updates has prevented our ticketing system software BMC (aka Numara) Track-It from running. Track-It was working fine yesterday prior to the update, but after the update, it no longer seems to be functioning. It's not conclusive yet as I not sure if any other processes ran overnight to cause this issue but I strongly suspect that it's one of the updates, as the .Net Framework is one Track-IT's system requirements.

Gisabun
Gisabun

You have KB2786081 that is for IE10 - yet, IE10 hasn't been release [in beta?]. You are forced [well you can hide/ignore them] to install KB2786400 and KB2726535 - even if you don't need them.

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.

Gisabun
Gisabun

Which Dot Net 2.0? 3.0? 3.51? 4.0? 4.5? They were all updated [again....]. I wish they'd release a roll-up or service pack to cover the numerous updates. 3.512 [for example] is a bloody mess.

Mark W. Kaelin
Mark W. Kaelin

Internet Explorer in Windows 8 is version 10. Perhaps the patch applies to 10, 9 and 8, but just not expressed that way?

jana.squires
jana.squires

Hi Gisabun, the update was for .Net 4. With the help of Track-It support we found out that the account used by the service no longer had access to the required directories via the UNC path. I'm still uncertain as to which update, if any, might have caused this issue but we have used the local path instead and now the required Track-It service is running. Wish I had a more conclusive answer but for now, there you have it.

Gisabun
Gisabun

Sometimes they will release an update prior to the actual release of the main package, just so that it's on the computers when time to install. Call it a prerequisite.

Gisabun
Gisabun

I think there was just the one update for DNF4.

Editor's Picks