Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's July 2013 patches in your organization.
Is it really July already? An IT admin's mid-summer night's dream might be a month "off," with no patches to apply, but you know that's never going to happen. This Patch Tuesday is on the light side, though, with just seven security updates. However, in terms of severity, six of them are rated "critical," with the potential for exploits that could allow remote code execution. Several of these updates address vulnerabilities related to the handling of True Type Font (TTF) files.
A bit of good news is that there are significantly fewer non-security updates released today than usual: just six of those (including the regular MSRT update).
Next month, if all goes as planned, I'll be somewhere in the Atlantic Ocean on Patch Tuesday, and I may or may not have a reliable Internet connection. Guest contributor Susan Bradley has volunteered to fill in for me here and do the August Patch Tuesday article. She is a long time fellow MVP and patch management guru, so you'll be in good hands. See you in September!
This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.
This month's updates affect various versions of Windows, Office, Visual Studio, Lync, Internet Explorer, and Windows Defender, as well as the .NET Framework and Silverlight. All but one may require a restart of the computer after installation.
MS13-052/KB2861561 - Vulnerabilities in .NET Framework and Silverlight
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Server 2003, 2008, 2008 R2 and 2012, including Server Core installations; Microsoft Silverlight 5 and Silverlight 5 Developer Runtime when installed on Windows clients, Windows servers and Mac systems). This update addresses seven vulnerabilities in the .NET Framework and Silverlight on all supported versions of Windows, which could allow remote code execution if a trusted application uses a particular code pattern. It is rated critical for later versions of .NET Framework and important for some earlier versions. A restart may be required after installation.
MS13-053/KB2850851 - Vulnerabilities in Windows Kernel-Mode Drivers
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 and 2012, including Server Core installations). This update is rated critical and affects all supported versions and editions of Microsoft Windows. It addresses eight vulnerabilities, based on the way Windows handles True Type Font (TTF) files and objects in memory. An exploit could result in remote code execution if a user views shared content with embedded TTF files. A restart may be required after installation.
MS13-054/KB2848295 - Vulnerability in GDI+
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 and 2012, including Server Core installations; Microsoft Office 2003, 2007 and 2010, Visual Studio .NET 2003 and Lync 2010 and 2013). This update addresses one vulnerability in Windows, Office, Visual Studio, and Lync, which could allow remote code execution if a user views shared content that embeds True Type Font (TTF) files. It's rated critical for Windows and Lync, and important for Office and Visual Studio. It does not affect Office 2013/2013 RT, nor Visual Studio versions 2005 and later. It also does not affect Communicator, Live Communications Server, Speech Server, Live Meeting Console, Lync 2010, Lync Web Access, or Lync for Mac 2011. A restart may be required after installation.
MS13-055/KB2846071 - Cumulative Security Update for Internet Explorer
(Internet Explorer 6, 7, 8, 9 and 10 running on all supported versions and editions of Microsoft Windows). This update addresses seventeen vulnerabilities that impact all supported versions of IE, the most severe of which could allow remote code execution upon viewing of a specially crafted web page in IE. It needs to be applied on all machines except those running Server Core installations. Rating is critical for Windows clients and moderate for Windows servers. A restart is required after installation.
MS13-056/KB2845187 - Vulnerability in Microsoft DirectShow
(Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008, 2008 R2 SP1 and 2012). This update addresses one vulnerability in the way the DirectShow component opens GIF files, which could allow remote code execution if a specially crafted GIF image file is opened. This vulnerability does not affect Windows RT, Windows Server 2008, and 2008 R2 for Itanium-based systems, or Server Core installations. A restart may be required after installation.
MS13-057/KB2847883 - Vulnerability in Windows Media Format Runtime
(Windows XP, Vista, Windows 7, Windows 8, Windows RT, Windows Server 2003, 2008, 2008 R2 SP1 and 2012). This update addresses one vulnerability in the way Windows Media Player opens certain media files, which could allow remote code execution if a specially crafted media file is opened. This vulnerability does not affect Windows Server 2008 and 2008 R2 for Itanium-based systems, or Server Core installations. A restart may be required after installation.
MS13-058/KB2847927 - Vulnerabilities in Windows Defender
(Windows 7 and Windows Server 2008 R2). This update addresses one vulnerability in Windows Defender running on Windows 7 or Windows Server 2008 R2 and the way it uses pathnames, which could allow elevation of privilege by which an attacker could take control of the system. However, the attacker must obtain valid logon credentials in order to exploit the vulnerability, thus it's rated important. No restart is required.
July brings us far fewer non-security updates than last month, which should come as a bit of a relief.
KB2607607 - Language packs for Windows 8 and Windows RT. New language packs are available for Windows 8/RT for the following languages: Turkmen, Maori, Kannada, Norwegian, Konkani, Irish, Maltese, Urdu, Tatar, Assamese, Bangla.
KB2829104 - Teluga characters not displayed correctly in Nirmala UI font. (Windows 7 and Windows Server 2008 R2). This update addresses a problem of incorrect character display in Word 2013 on a computer running Windows 7 or Server 2008 R2.
KB2836945 - Update for .NET Framework 2.0 SP2. (Windows Server 2008 SP2). This update resolves two issues with ASP.NET based web pages.
KB2855336 - Update Rollup. (Windows 8, Windows RT and Server 2012). This update addresses an issue that can result in SD cards no longer being detected if the system transitions between different power states, along with nineteen other issues affecting these operating systems.
KB2859541 - Update to support new camera models. (Windows 8, Windows RT). This update adds codecs to provide support for seventeen new models of cameras from Canon, Epson, Nikon, Olympus, Panasonic, Pentax and Sony.
KB890830 - Windows Malicious Software Removal Tool - July 2013 (Windows XP, Vista, Windows 7, Windows 8, Windows Server 2003, 2008, 2008 R2, and 2012). This is the regular monthly updated version of the Malicious Software Removal Tool (MSRT).
Updates since the last Patch Tuesday
There was only one out-of-band update released since the last Patch Tuesday, which came out on June 25, and that was an update to the MSRT, which is now superseded by the July edition of the tool.