Deb Shinder gathers the information you need to make the right deploy decision when applying Microsoft's May 2013 patches in your organization.
For many of us, May is a busy month on the personal front, what with Mother's Day, Memorial Day, proms, graduations, and making plans for the summer. With ten security bulletins being released this Patch Tuesday, it's neither a particularly light nor a tremendously heavy month in that respect. The May updates are mostly aimed at Windows and Office, and only two are labeled critical.
This blog post is also available in the PDF format in a TechRepublic Download. Falling behind on your patch deployments, catch up with previously published Microsoft Patch Tuesday blog posts.
This month's ten security patches address vulnerabilities in Internet Explorer, the Windows OS, the .NET framework, Office applications and Lync. The only ones rated "critical" are for Internet Explorer.
MS13-037/KB2829530 - Cumulative Security Update for Internet Explorer (IE 6, 7, 8, 9 and 10 on Windows XP, Vista, 7, 8, RT, Server 2003, 2008, 2008 R2 and 2012). This critical update addresses eleven different vulnerabilities in Microsoft's web browser running on all currently supported editions and versions of Windows except the Server Core installations. The way IE authorizes script access to data and handles objects in memory can allow remote code execution. A restart is required after installation.
MS13-038/KB2847204 - Critical Security Update for Internet Explorer (IE 8 and 9 on Windows XP, Vista, 7, Server 2003, 2008, and 2008 R2). This is another update for the listed versions of IE, which addresses a single vulnerability that could allow remote code execution if a user visits a specially crafted web page that contains malicious code. It's rated critical for the client operating systems and moderate for servers, and does not affect IE 6, 7 or 10 nor Server Core installations. A restart may be required after installation.
MS13-039/KB2829254 - Vulnerability in HTTP.sys (Windows 8 and RT, Server 2012, including Server Core installation). This update addresses a single vulnerability in the way HTTP.sys handles some HTTP headers that could allow an attacker to send a specially crafted malicious HTTP packet to a system that results in a denial of service attack. It is rated "important." Only the listed operating systems are affected. A restart is required after installation.
MS13-040/KB2836440 - Vulnerabilities in .NET Framework (Windows XP, Vista, 7, 8, RT, Server 2003, 2008, 2008 R2, and 2012, including Server Core installations). This update addresses two vulnerabilities in the .NET Framework versions 2.0 through 4.5, which could allow spoofing of a .NET application that would allow the attacker to modify the contents of an XML file and gain access to endpoint functions. It's rated "important." A restart may be required after installation.
MS13-041/KB2834695 - Vulnerability in Lync and Communicator (Microsoft Communicator 2007 R2, Lync 2010 and Lync Server 2013). This update addresses a vulnerability in Lync and Communicator that could allow an attack to remotely execute code by sharing a specially crafted malicious file or program through the communications application. It's only rated "important," as the recipient would have to take action to view or share the content by accepting the invitation. Only the listed version of Communicator and the listed versions of Lync are affected. Lync 2013 and Lync for Mac 2011 are not affected. A restart may be required after installation.
MS13-042/KB2830397 - Vulnerabilities in Microsoft Publisher (Microsoft Office 2003, 2007 and 2010). This update addresses eleven vulnerabilities in Microsoft Office that can be exploited by getting a user to open a specially crafted malicious file with Microsoft Publisher. The attacker would then gain the same rights as the currently logged-on user. It's rated "important" but note that Office 2013 is not affected. A restart may be required after installation.
MS13-043/KB2830399 - Vulnerability in Microsoft Word (Microsoft Office 2003, Microsoft Word Viewer). This update addresses a vulnerability in the Office 2003 SP3 version only of Microsoft Word and the Word Viewer, which could allow an attacker to remotely execute code if a user opens a specially crafted malicious document file or email message. The attacker would then gain the same rights as the currently logged-on user. It's rated "important." Other versions of Word, including Word 2013 and Word 2013 RT, are not affected, nor are the Word Web apps or Office for Mac 2011. A restart may be required after installation.
MS13-044/KB2834692 - Vulnerability in Microsoft Visio (Microsoft Visio 2003, 2007, 2010). This update addresses a vulnerability in the listed versions of Microsoft Visio by which an attacker could cause information to be disclosed if the user opens a specially crafted malicious Visio file. It's rated "important." Visio Viewer and Visio 2013 are not affected, nor are Microsoft Office 2007 and 2010 Filter Packs. A restart may be required after installation.
MS13-045/KB2813707 - Vulnerability in Windows Essentials (Windows Essentials 2011, 2012). This update addresses a vulnerability in the Windows Writer (formerly called Live Writer) blogging tool that is part of the Windows Essentials package, which could allow information disclosure if the user opens Writer via a specially crafted malicious URL. The attacker would be able to overwrite files on the target system. It's rated "important." Note that although Windows Essentials 2011 is affected, there is no update available for it; this update only applies to Windows Essentials 2012, and is available for download only. A restart may be required after installation.
MS13-046/KB2840221 - Vulnerabilities in Kernel-Mode Drivers (Windows XP, Vista, 7, 8, RT, Server 2003, 2008, 2008 R2, 2012, including Server Core installations). This update addresses three vulnerabilities that affect all currently supported versions of Windows. An exploit could result in elevation of privileges if an attacker is able to log onto the system locally with valid logon credentials and run a specially crafted malicious application. It's rated "important." A restart is required after installation.
There were a whopping 15 non-security updates released today, including the regular monthly update for the Malicious Software Removal Tool (MSRT).
KB2798162 - Update to improve messaging of dialog boxes when you run executable files in Windows. Applies to Windows 7, 8 and RT and Server 2008, 2008 R2 and 2012. Changes how some dialog boxes are presented to provide you with more information.
KB2805221 - Update for .NET Framework 4.5. Applies to Windows Vista, 7 and Server 2008 R2. Fixes issues pertaining to DateTime.TryParse, an unhandled exception, a CryptographicException error, and more.
KB2805222 - Update for .NET Framework 4.5. Applies to Windows 8, RT and Server 2012. Fixes the same issues mentioned in KB2805221 above.
KB2805226 - Update for .NET Framework 4.5. Applies to Windows Vista, 7 and Server 2008, 2008 R2. Fixes issues with Windows Workflow Foundation (WF).
KB2805966 - Update to resolve loss of temporary Internet files and history in upgrade. Applies to upgrades from Windows 7 or Server 2008 R2 to Windows 8 or Server 2012. This update resolves the issue of lost temporary Internet files (browser cache), browsing history, cookies, saved passwords.
KB2813956 - Update to resolve mobile broadband issue. Applies to Windows 7. This updates fixes the issue where mobile broadband providers disappear from the list of available networks in the network interface.
KB2818604 - Microcode update for AMD processors. Applies to Windows 8 computers using AMD processors. Updates the microcode for specific models of AMD series C, E, G and Z processors.
KB2820330 - Compatibility update. Applies to Windows 8, RT and Server 2012. Improves the compatibility experience.
KB2820331 - Application compatibility update. Applies to Windows 7 and Server 2008 R2. Improves the compatibility experiences.
KB2820332 - Compatibility update for legacy upgrade experience. Applies to Windows 8 and Server 2012. Improves the experience of upgrading to the latest version of Windows 8 or Windows Server 2012.
KB2820333 - Compatibility update for web and media upgrade. Applies to Windows 8 and Server 2012. Improves the web and media upgrade experience when upgrading to the latest version of Windows 8 and Server 2012 and offers the latest compatibility status of installed applications, devices and drivers.
KB2835174 - Update to resolve Product Activation Wizard issue. Applies to Windows 7 and Server 2008 R2. This update fixes an issue where activation fails and an incorrect disclaimer is displayed.
KB2836988 - May Update Rollup. Applies to Windows 8 and Server 2012. This rollup package includes multiple performance and reliability improvements and resolves issues with graphics driver updates, system performance impact of network activity, file copy, crashes and more.
KB931125 - Update for Root Certificates (Windows XP, Vista, 7 and 8). This is an update to the list of root certificates that are accepted by Microsoft for the use of extended validated (EV) certificates on web sites and digital certificates used for email encryption and secure delivery of code. This update requires a restart.
KB890830 - Windows Malicious Software Removal Tool (MSRT). This is the regular monthly update to the MSR for Windows XP, Vista, Windows 7, Windows 8, and Windows Server 2003, 2008/2008 R2, and 2012.
Updates since the last Patch Tuesday
There have been only a couple of new or changed non-security updates or content released since April Patch Tuesday:
KB2840149 - Security Update for Windows Embedded Standard 7, Windows 7, Windows Vista, and Windows Server 2008/2008 R2. This bulletin, originally released on April 9 with the regular Patch Tuesday updates to address vulnerabilities in the kernel-mode driver that could allow elevation of privilege, was updated on April 24.
KB2607607 - Language Packs for Windows RT (Windows RT). On April 23, more new language packs for Windows RT added nine additional languages.