Security Experts:

Microsoft Closes Nearly 50 Security Gaps in Patch Tuesday Update

Microsoft patched 47 security vulnerabilities across its product portfolio today as part of a massive Patch Tuesday update.

The fixes are spread across 13 bulletins – four of which are rated 'critical.' The others are classified as 'Important.' According to Microsoft, the first bulletins organizations should prioritize are MS13-067 – which deals with vulnerabilities in SharePoint Server - and MS13-068, which impacts Microsoft Outlook.

"This update for SharePoint Servers also addresses 10 issues, but here, only CVE-2013-1330 is Critical," explained Dustin Childs, group manager of response communications for Microsoft Trustworthy Computing. "While CVE-2013-3180, an Important-rated issue, was publicly disclosed, we have not detected any active attacks involving any of these issues. For the one Critical CVE here, an attacker could send specially crafted content to an affected server. After a failure to properly validate the input, the attacker could then execute code on the system in the context of the W3WP service account."

The CVE-2013-1330 does not affect SharePoint Server 2013, he added.

MS13-068, which fixes a critical vulnerability in Outlook 2007 and 2010, could allow an attacker to execute code in the context of the current user, explained BeyondTrust CTO Marc Maiffret.

"Attackers can exploit this by crafting malicious S/MIME messages and sending them to target users," he said. "When the user opens the malicious message, the vulnerability will be exploited, causing the user’s system to be compromised and the attacker’s code to run in the context of the current user. Because of this attack vector, it is very important that this patch be rolled out as soon as possible."

While MS13-068 and MS13-067 may be high on the prioritization list, organizations should also pay close attention to MS13-069, a cumulative update for Internet Explorer rated critical that closes 10 security holes across all supported versions of the browser.

The final critical bulletin is MS13-070, a Windows vulnerability that could allow an attacker to execute code remotely if a user opens a file containing a specially-crafted OLE object.

The remaining bulletins affect Windows and Microsoft Office. Though Microsoft stated last week it was planning to release 14 bulletins today, the company told SecurityWeek that one was pulled for further testing.  

"IE, Sharepoint and Outlook are hardest hit this month, and vulnerabilities in XP and Windows 2003 were also patched...something we hopefully will see more of as the XP end of life date of April 8, 2014 nears," noted Paul Henry, security and forensic analyst at Lumension. "[Windows] 2003 follows that 15 months later with its own EOL date of July 14, 2015. For anyone using XP, a migration plan must be put in place if you don't already have one."

In addition to the Microsoft patches, Adobe issued security updates for Flash Player, Adobe Reader and Adobe Shockwave Player as well. None of the vulnerabilities is known to be under attack, according to the company.