Microsoft

It's Microsoft Patch Tuesday: June 2013

Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's June 2013 patches in your organization.

June heralds the beginning of summer, and most IT admins would probably prefer sipping piña coladas at the beach to sitting in the server room, babysitting a long run of security updates. But hey, that's why we get paid the big bucks.

The good news is that this month brings us only five security bulletins - just half the number we had in May - so you might be able to break away and spend some time in the sun sooner than you thought; the bad news is that four of the five require a reboot, and one of them is a critical issue that impacts just about all versions of Internet Explorer (6 through 10).

Tommy Chin, technical support engineer with CORE Security, summed it up this way: "Microsoft Windows, Internet Explorer, and Microsoft Office are affected by these vulnerabilities. These are the most basic and most popular Microsoft products in use today, therefore the impact is very high." So don't be complacent due to the relatively smaller number of bulletins; getting these patches applied is still vitally important.

This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.

Security Patches

This month's five security bulletins address vulnerabilities in Internet Explorer, the Windows OS, and Microsoft Office.

MS13-047/KB2838727 - Cumulative Security Update for Internet Explorer (IE 6, 7, 8, 9 and 10 on Windows XP, Vista, Windows 7, Windows 8, Windows RT and Server 2003, 2008, 2008 R2 and 2012, all editions). This update is rated critical for client and moderate for server operating systems and affects all listed versions of the IE web browser and all currently supported Windows operating systems (server core installation excluded). It addresses nineteen different vulnerabilities that stem from the way IE handles objects in memory, some of which allow remote code execution if a specially crafted malicious web page is visited. A restart is required after installation.

MS13-048/KB2839229 - Vulnerability in Windows Kernel Could Allow Information Disclosure (Windows XP, Vista, Windows 7 and Windows 8, Server 2003, 2008, 2008 R2 and 2012). This update is rated important, and addresses a vulnerability in the way Windows handles page fault system calls, that could allow disclosure of information if an attacker logs on to a system and runs specially crafted software (or convinces a legitimate logged-on user to run such software). Note that the attacker cannot exploit this vulnerability without the ability to log on locally, and it doesn't allow remote code execution or elevation of privileges. A restart is required after installation.

MS13-049/KB2845690 - Vulnerability in Kernel-Mode Driver Could Allow DoS (Windows Vista, Windows 7, Windows 8, Windows RT, Server 2008, 2008 R2, and 2012, including server core installation). This update is rated Important for Windows RT, 8 and Server 2012, moderate for other affected operating systems. It addresses one vulnerability in the kernel-mode driver, due to the TCP/IP driver's handling of specially crafted packets that could allow an attacker to create a Denial of Service by sending specially crafted malicious packets. It does not affect Windows XP or Server 2003. A restart is required after installation.

MS13-050/KB2839894 - Vulnerability in Windows Print Spooler Components Could Allow Elevation of Privilege (Windows Vista, Windows 7, Windows 8, Windows RT, Server 2008, 2008 R2, and 2012, including server core installation). This update is rated Important for all affected operating system versions. Windows XP and Server 2003 are not affected. It addresses one vulnerability in the way the Windows print spooler allocates memory when a printer connection is deleted, that could allow elevation of privilege when an authenticated user deletes a printer, but the user must have valid logon credentials to exploit this vulnerability. A restart is required after installation.

MS13-051/KB8239571 - Vulnerability in Microsoft Office Could Allow Remote Code Execution (Office 2003 SP3 and Office for Mac 2011). This update is rated Important for the affected versions of Office. It addresses one vulnerability in the specifically listed versions of Microsoft Office that is based on the way Office parses specially crafted Office files and could allow remote code execution if a user opens a malicious file or opens/previews a message in Outlook, using Word as the email reader. Office 2007, 2010, 2013/2013 RT, the Compatibility Pack SP3 and the Excel and PowerPoint viewers are not affected. A restart may be required after installation.

Other Updates/Releases

There were a whopping 17 non-security updates released today, including the regular monthly update for the Malicious Software Removal Tool (MSRT).

KB2808679 - Update to protect from internal URL port scanning (Windows XP, Vista, Windows 7, Windows 8, Windows RT, Server 2003, 2008, 2008 R2 and 2012). This update protects an external network from verifying whether a URI port on the internal network is open or closed. A restart is not required.

KB2818604 - Microcode update for AMD computers (Windows 7 and Windows 8). This update is for computers that use certain AMD processors (C, E, G and Z series) and updates the processor microcode. There is a Fix It link available as well as instructions for manual installation.

KB2821895 - Servicing stack update (Windows 8, Windows RT, Server 2012). This update contains four improvements and fixes for seven issues in the servicing stack on the listed operating systems. A restart is required after installation.

KB2824160 - Update rollup 2 for Windows Server 2012 Essentials (Windows Server 2012 Essentials). This update rollup includes fixes for server-side issues and also installs the client-side rollup package automatically. Issues that are addressed include a problem with Office 365 integration service crashing, a failed operation when changing user access level or folder permissions and a problem with using PowerShell to enable Office 365. Rollup 2 beta must be uninstalled before installing this final version. A restart is not required after installation.

KB2834140 - "0x00000050" Stop error (Windows 7 SP1 and Windows Server 2008 R2 SP1). This update addresses a problem that causes a Stop error (PAGE_FAULT_IN_NONPAGED_AREA) when there is a combination of Intel and AMD video cards installed. A restart is not required after installation.

KB2836187 - Update to support camera-specific file formats (Windows 8, Windows RT). This update installs a Microsoft Camera Codec Pack that makes it possible to view RAW image files in the modern UI in Windows 8 and RT and open them with Windows Explorer and Windows-based applications. A restart is required after installation.

KB2836502 - Certain JPEG images cannot be displayed (Windows 7 SP1 and Server 2008 R2 SP1). This update addresses a problem whereby you can't view certain JPEGs after installing update 270838 when the JPEG is a non-progressive compressed JPEG and its components span multiple scans. A restart is required after installation.

KB2836939 - Update for .NET Framework 4 (Windows XP, Vista, Windows 7, Server 2003, 2008 and 2008 R2). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2836940 - Update for .NET Framework 3.5 SP1 (Windows XP, Vista, Server 2008 and 2008 R2). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2836941 - Update for .NET Framework 2.0 SP2 (Windows XP and Server 2008). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2836942 - Update for .NET Framework 3.5.1 (Windows 7 SP1 and Server 2008 R2 SP1). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2836943 - Update for .NET Framework 3.5.1 (Windows 7 SP1 and Server 2008 R2 SP1). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2836946 - Update for .NET Framework 3.5 (Windows 8 and Server 2012). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2836947 - Update for .NET Framework 3.5 (Windows 8 and Server 2012). This is an update to the .NET framework that resolves two issues related to a JavaScript error and an ASP.NET problem. A restart is required if any affected files are being used.

KB2845533 - Update Rollup http://support.microsoft.com/kb/2836947 (Windows 8, RT and Server 2012). This update package includes improvements to performance and reliability of the listed operating systems and resolves issues with MP4 files generation by Android devices, crashes during hibernation when a device is connected to a USB 3.0 port, inability to sign into the Windows Store and slow updates, as well as a large number of fixes for problems documented in various KB articles. A restart is required after installation.

KB890830 - Windows Malicious Software Removal Tool, June 2013. This is the monthly release of the latest version and definitions for the MSRT, which checks your computer for specific prevalent malware.

KB2859903 - Update for IE 10 (Windows 7 and Server 2008 R2). This update addresses a problem where a "select later" option in KB update 976002 isn't displayed for new installations of IE 10 on Windows 7 and Server 2008 R2.

Updates since the last Patch Tuesday

There was only one out-of-band update released since the last Patch Tuesday, which came out on May 28:

KB947821 - System Update Readiness Tool (Windows 7, Windows Server 2008 R2, Windows Server 2008 and Windows Vista). The tool addresses an inconsistency in the Windows servicing store that could prevent successful installation of future updates and service packs. It fixes a number of installation errors, such as ERROR_FILE_NOT_FOUND and ERROR_INVALID_DATA, which sometimes occur when using Windows Update.

About

Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 add...

9 comments
Adrian Watts
Adrian Watts

Suffered this following a factory restore of a win8 x64 machine a few days ago. KB2821895 is breaking some windows 8 machines component store and you need to fix it with the dism tool from the command line. After the patch i tried installing a piece of software which gave a nasty error message at the end and then rolled back refusing to install.

Microsoft know about this. http://support.microsoft.com/kb/2821895

http://answers.microsoft.com/en-us/windows/forum/windows_8-windows_update/kb2821895-windows-8-x64-update-06112013-problem/eed54c3d-37c2-4965-8974-3f323b4e8e24

nospmas1939
nospmas1939

Thank you Gisabun!!!! I installed it and that stopped my nemesis popping up again and again. Cheers

nospmas1939
nospmas1939

I keep Win 7 SP1 updated all the time....but why is KB 2836939 installed itself 7 (yes, seven) times ? I se no reason for it. Anyone have any clues??? Regards to all

pjboyles
pjboyles

The .NET Framework 4.5 does not include .NET Framework 4.0 support. If the .NET application only uses .NET components that are still available in a newer version of .NET then the application can run in just the newer version provided the newer component versions don't break something.. Fortunately MS designed these with parrallel installs in mind. The .NET 4.0 install doesn't include 3.5. Unfortunately the install comes in two flavors. One a "profiles" version and one a full client version. The .NET 3.5 SP 1 installer includes .NET 2.0sp2 and .NET 3.0sp2. See .NET versioning information http://msdn.microsoft.com/en-us/library/bb822049.aspx

Zardoc
Zardoc

Out of all 12 updates, this one sends my Win 8 X64 machine in a loop with a black screen at startup.

Mark W. Kaelin
Mark W. Kaelin

Are the Microsoft patches giving you trouble this month? Maybe your peers can help - describe the problems you are having.

Zardoc
Zardoc

Update won't install if you have a uxtheme.dll patch for themes. Simply uninstall patch install update and all is fine. MS, what's the use of permitting theme patch if updates choque when installed?

Zardoc
Zardoc

Won't install if you patched uxtheme.dll Uninstall patch, update will work

Editor's Picks