This month's patch Tuesday the polar opposite of last month's ho-hum, here-we-go-again-with-the-patches exercise. There are 7 advisories and 6 of those are critical issues allowing remote code execution. Basically everything in the core Microsoft world is affected by one or more of these, every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET.  It's going to be a busy time for security teams everywhere.

 

For the first time ever Microsoft is addressing a single CVE (CVE-2013-3129) in three different advisories (MS13-052, MS13-053, and MS13-054). This issue relates to TrueType Font processing and legitimately affects different components. By splitting this out Microsoft is directly addressing a complaint about previous "rolled up" advisories where it was difficult to properly prioritize the multiple patches required to remediate the problem, and component patches were frequently missed.

 

The top two patching priorities are the kernel issue (MS13-053) and the Internet Explorer patch bundle (MS13-055). These are both priority one, according to Microsoft, with MS13-052, MS13-054, MS13-056, & MS13-057 all coming in at priority two. Remember that patching priority and a “critical” rating from Microsoft factors in exploitability and if the vulnerability has been responsibly disclosed. Some of the vulnerabilities patched in MS13-052 and MS13-053 are known to be under active exploitation in the wild but exploitation is considered unlikely, whereas some of the responsibly disclosed issues in Internet Explorer are considered likely for exploitation now that the patch is out.

 

Going into today three of the bulletins roughly matched the profile of the issue Google's Tavis Ormandy disclosed back in May (CVE-2013-3660), which led to speculation that it might be fixed in this month's patching cycle, and despite reports to the contrary, it is included in MS13-053.

 

Microsoft also announced a policy change related to the Microsoft marketplace. Going forward, any "app" that is affected by a security issue will be removed from the store if it is not patched within 180 days of the issue being confirmed.