The first Microsoft security bulletin of 2013 includes 7 advisories (MS13-001 – MS13-007), two of which are rated “critical” due to the potential for remote execution.

MS13-001 affects the spooler service Windows 7 & 2008, this issue is not as severe as initially feared. It is an interesting defect in that an attacker could queue malicious print job headers to exploit clients which connect. However, as discussed by the Microsoft SRD team, it cannot be triggered by normal, built-in print job enumeration. No one should have a print spooler accessible outside the firewall, but that doesn't prevent exploit as an insider, local exploit for privilege elevation, or an attacker using this for further access once some other footing is gained.

The other critical is MS13-002, which is a flaw in the underlying XML parsing libraries.  This impacts a dog's breakfast of Microsoft operating systems and applications (including Windows 8, RT, and Server 2012). One thing to watch out for in this type of vulnerability is applying all the patches that apply to a system, e.g. it affects Groove, Office, SharePoint, the OS, and other components. Administrators will have to patch for each affected component. This will require multiple patches for many systems and will almost certainly require a restart.

MS13-003 is actually an XSS in the Microsoft SCOM login page, however, it requires the attacker to know a valid user name.  MS13-004 covers four CVEs for .NET ranging from 1.1 to 4.5, three of which are for privilege elevation and the other is an information disclosure vuln.  MS13-005 is a local privilege elevation defect in the kernel mode drivers.

MS13-006 impacts all versions of Windows since Vista.  It addresses a potential for a MITM attack to force a downgrade of the session security to SSLv2 when a Microsoft client is connecting to a server which requests lower session security than the highest supported by the client.

MS13-007 fixes an issue in Microsoft's Open Data Protocol (OData) implementation where a malicious find-and-replace request could crash the OData service.

It's interesting and significant to note here that none of these issues are being actively exploited at this time.  Though history has shown us that once the patch leads smart, malicious hackers to the issue, it won't be long before exploits start.

Many people were expecting a patch for the Internet Explorer 0-day disclosed around new year.  While this was not included in today's patch release, the only supported version of IE affected by the current 0-day is IE 8, so impact is largely limited to customers on Windows XP (let's face it, if you are on IE 6 or 7 you are already seriously exposed and likely compromised).  Users of other Windows platforms should have gone to IE 9 or 10 by now.  Microsoft is confident that their “fix-it”  works and that as a mitigation users can configure the Enhanced Mitigation Experience Toolkit (EMET) to block the ASLR bypass.  I'm confident that Microsoft is working on a patch and monitoring the situation and will deliver the patch once it is ready, and how soon it is ready will driven (at least in part) by how quickly the exploit moves from targeted to publicly available.

Happy patching!

-Ross