Microsoft issues advance warning for first Patch Tuesday of 2013

4 Jan, 2013

Software giant to patch two critical vulnerabilities for Windows users, but offers no permanent fix for Internet Explorer security hole.

Software giant Microsoft is planning to use the first Patch Tuesday of 2013 to roll out seven security bulletins, which include two critical updates for Windows users.

Both of the critical updates, if not installed, could result in hackers gaining control of users’ machines, as they will be used to patch remote code execution vulnerabilities.

Windows XP, Vista, 8 and RT will require one of these updates to be installed, whereas Windows 7 will require both.

It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory.

All of the currently supported versions of Windows Server are also affected to varying degrees by these same vulnerabilities.

The five remaining updates are deemed “Important” by Microsoft, and seek to redress elevation of privilege, security bypass and denial of service vulnerabilities.

The alert, however, does not feature a patch for the Internet Explorer remote code execution vulnerability that IT Pro reported on earlier this week.

Andrew Storms, director of security operations at audit and compliance software vendor nCircle, was not surprised to learn the IE bug won't be sorted this time around.

“Next week’s release won’t include a permanent fix for the IE zero-day bug that came out over the holidays, but that shouldn’t surprise anyone,” he said.

“It would have taken a miracle for Microsoft to patch a zero-day one week after a zero-day advisory.”

Meanwhile, Ziv Mador, director of security research at Trustwave’s ethical hacking team SpiderLabs, said these reported vulnerabilities are not the only ones Microsoft users need to be wary of at the moment.

“There are also active ongoing attacks using fraudulent certificates issued by Turktrust,” he warned.

“[They] were issued for and could be used to spoof content, perform phishing attacks, or perform man-in-the-middle attacks against several Google web properties.

“Microsoft has already updated the Certificate Trust List. If you are using the automatic updater of revoked certificates you are all set. If not, or you are still using XP or Server 2003, you will find an update for you in Microsoft Update,” Mador added.

The Turktrust case has been flagged by the United States Computer Emergency Readiness Team in an alert sent out yesterday.

In an advisory on the Microsoft TechNet blog, the firm said users that have the automatic updater of revoked certificates should not need to take action.

“For Windows XP and Windows Server 2003 customers or [those] who choose not to install the automatic updater of revoked certificates, Microsoft recommends that the 2798897 update be applied immediately,” the blog advised.