By Susan Bradley, MVP
(SBS)

The dog days of summer are here along with eight bulletins
that include one that impacts Exchange 2007 through Exchange 2013. In fact, it’s
the first official security patch for that platform. Due to a change in how
Exchange 2013 releases updates you must be on Cumulative rollup update 1 or 2
in order to deploy this security update.

Once again we’re patching Internet Explorer (6 through 10)
for a critical issue that includes remote code execution. For many of you, the
biggest headache will be reinstalling those .NET updates from last month’s
MS13-052 that will have to be reinstalled again along with the re-released
Windows Media patch in MS13-057 that had issues with certain applications and
WMF files last month.

This
blog post is also available in the PDF format in a TechRepublic Download.

Security Patches

This month’s eight security bulletins address
vulnerabilities in Internet Explorer, the Windows OS, and Exchange.

***

MS13-059/KB2862772 – Cumulative Security Update for Internet
Explorer (IE 6, 7, 8, 9 and 10 on Windows XP, Vista, Windows 7, Windows 8,
Windows RT and Server 2003, 2008, 2008 R2 and 2012, all editions). This update
is rated critical for client and important for server operating systems and
affects all listed versions of the Internet Explorer web browser and all
currently supported Windows operating systems (server core installations
excluded). It addresses eleven different vulnerabilities that stem from the way
IE handles objects in memory, some of which allow remote code execution if a
specially crafted malicious web page is visited. A restart is required after
installation.

**

MS13-060/KB2850869 – Vulnerability in Unicode Scripts
Processor Could Allow Remote Code Execution (Windows XP, Server 2003). This
update is rated critical XP and Server 2003. It addresses one vulnerability in
Unicode Scripts specifically if the Indic language pack (Bangali font) is
installed. A victim could browse to a malicious webpage and be attacked. A
restart may not be required after installation.

**

MS13-061/KB2876063 – Vulnerability in Exchange Server Could
Allow Remote Code Execution (Exchange 2007, 2010 and 2013). This update is
rated Critical for Exchange Servers. It addresses three vulnerabilities in
WebReady Document Viewing and Data Loss Prevention features of Microsoft
Exchange Server. The vulnerability could allow remote code execution in the
security context of the transcoding service on the Exchange server if a user
previews a specially crafted file using Outlook Web App (OWA). It specially
addresses the Oracle Outside In issues included in a recent Oracle security
update. A restart is not required after installation.

**

MS13-062/KB2849470 – Vulnerability in Remote Procedure Call
Could Allow Elevation of Privilege (Windows Vista, Windows 7, Windows 8,
Windows RT, Server 2008, 2008 R2, and 2012, including server core
installation). This update is rated Important for all operating systems. It
addresses vulnerability by correcting the way that Microsoft Windows handles
asynchronous RPC messages. The vulnerability could allow elevation of privilege
if an attacker sends a specially crafted RPC request. It will be difficult to
trigger this attack reliably. A restart is required after installation.

**

MS13-063/KB2859537 – Vulnerabilities in Windows Kernel Could
Allow Elevation of Privilege (32bit versions of Windows XP, Windows Server
2003, and Windows 8; and all supported editions of Windows Vista, Windows
Server 2008, Windows 7, and Windows Server 2008 R2). This update is rated
important for impacted operating systems. It addresses vulnerabilities by
changing how the Windows kernel validates memory address values and by
modifying functionality to maintain the integrity of ASLR. The update also
addresses a recent CanSecWest pwn2own exploit. A restart is required after
installation.

**

MS13-064/KB2849568 – Vulnerability in Windows NAT Driver
Could Allow Denial of Service (Windows Server 2012). This update is rated
important for Windows Server 2012. It addresses one vulnerability in the
Windows NAT Driver in Microsoft Windows. The vulnerability could allow denial
of service if an attacker sends a specially crafted ICMP packet to a target
server that is running the Windows NAT Driver service. This was first
introduced in Windows Server 2012. A restart is required after installation.

**

MS13-065/KB2868623 – Vulnerability in ICMPv6 could allow
Denial of Service (Windows Vista, Windows Server 2008, Windows 7, Windows
Server 2008 R2, Windows 8, Windows Server 2012, and Windows RT) The update is
rated important for impacted systems. It addresses one vulnerability that could
allow a denial of service if the attacker sends a specially crafted ICMP packet
to the target systems. A restart is required after installation.

**

MS13-066/KB2873872 – Vulnerability in Active Directory
Federation Services Could Allow Information Disclosure (Windows Server
2003, 2008, 2008 R2 and 2012) The update is rated important for impacted
systems. It addresses one vulnerability that could reveal information pertaining
to the service account used by AD FS leading to attempted logins and denial of
service attacks. A restart is required after installation.

Other Updates/Releases

There were non-security updates released for August,
including the regular monthly update for the Malicious Software Removal Tool
(MSRT).

**

KB2856373 – Update to improve protection functionality in Windows Defender (Windows
8, Windows RT, Server 2012). This update improves protection functionality in
Windows Defender A restart is required.

*

KB2862768 – Windows RT, Windows 8, and Windows Server 2012 update rollup: August
2013 (Windows 8, Windows RT and Server 2012). This update resolves an issue
in which some Micro SD cards are not detected on Windows 8 tablets as well as
several other issues. A restart is required after installation.

**

KB2863058 – August 2013 cumulative time zone update for Windows operating
systems (Windows 8, Windows RT, Windows Server 2012, Windows Embedded
Standard 7, Windows 7, Windows Server 2008 R2, Windows Server 2008, Windows
Vista, Windows Server 2003, and Windows XP). This update contains time zone
fixes impacting Libya, Israel, Pacific SA, Paraguay, West Asia, and Morocco. No
restart is required after installation.

*

KB931125 – Update for Root
Certificates (Windows XP [manually]). This item updates the list of root
certificates on your computer to the list that is accepted by Microsoft as part
of the Microsoft Root Certificate Program. A restart is required after
installation.

**

KB2767849 – 2007 Office
system update: August 13, 2013 (Office 2007). This item fixes an issue
where Office 2007 cannot add a digital signature to a document. A restart is
not required after installation.

*

KB2861855
– Updates to Improve Remote Desktop Protocol Network-level Authentication (Windows
Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2]. The update
adds defense-in-depth measures to the Network Level Authentication (NLA)
technology within the Remote Desktop Protocol in Microsoft Windows. A restart
is not required after installation.

**

KB890830 – Windows Malicious Software Removal Tool, August 2013. This is
the monthly release of the latest version and definitions for the MSRT, which
checks your computer for specific prevalent malware.

Rereleased updates since Patch Tuesday

Microsoft has rereleased two updates since last Patch
Tuesday to fix issues associated with the updates:

**

MS13-052/KB2861561 – Vulnerabilities in .NET Framework and
Silverlight Could Allow Remote Code Execution (Windows Server 2003, 2008,
2008 R2 and 2012) The Bulletin revised to rerelease the 2840628, 2840632,
2840642, 2844285, 2844286, 2844287, and 2844289 updates. Customers should
install the rereleased updates that apply to their systems. A restart is required
after installation.

**

MS13-057/KB2847883 – Vulnerability in Windows Media Format
Runtime Could Allow Remote Code Execution (Windows 7, Windows Server 2008
R2,) The Bulletin revised to rerelease the 2803821 update due to issues with
WMV files and certain applications. Customers should install the rereleased
updates that apply to their systems. A restart may be required after
installation.

Susan Bradley is a
Small Business Server and Security MVP who is a moderator on the Patchmanagement.org list and writes for WindowsSecrets.com. She’s attempting to fill the esteemed
shoes of Deb Shinder while she’s on a much earned vacation.