It’s the second Tuesday in March, which means that it’s also the third Patch Tuesday of 2013. Microsoft released seven new security bulletins today, with four rated as "critical," but security experts are particularly concerned about a flaw rated as merely "important" that exposes your Windows PCs to major risk. Wolfgang Kandek, CTO of Qualys, notes in a blog post that the number of security bulletins is about par for the course for Microsoft. He adds, “In technical terms though we are seeing some interesting vulnerabilities that definitely rate higher-than-average.”
For starters, there is a cumulative security update for Internet Explorer (MS13-021). It addresses nine separate vulnerabilities, one of which has had exploit code circulating in the wild for the past month. Kandek urges IT admins to apply this update as soon as possible. “Every supported version of Internet Explorer (6 through 10) is affected, thus implicitly making all supported Windows platforms (including Windows RT) a target for attackers,” points out BeyondTrust CTO Marc Maiffret.
According to Paul Henry, security and forensic analyst at Lumension, the second priority should be MS13-022—a "critical" security bulletin that deals with a remote code execution vulnerability in Silverlight 5. Simply browsing to a website with malicious content with a vulnerable version of Silverlight is all it takes to become a victim of this attack.
Possibly the most interesting of the seven security bulletins, though, is MS13-027. Microsoft only rates it as "important" because the attack requires physical access to the vulnerable machine. Andrew Storms, director of security operations for nCircle (currently in the process of being acquired by Tripwire), explains that this flaw allows anyone with a USB thumb drive loaded with the attack code to bypass security controls and access a vulnerable system even if AutoRun is disabled, and the screen is locked.
Storms cautions, “Just imagine what a properly motivated janitorial staff could do with this vulnerability in just one evening. This vulnerability also seriously impacts security on all those public kiosks and co-location centers that don't have locked cabinets. The potential for harm with this vulnerability can’t be overstated.” Security experts agree that MS13-021, MS13-022, and MS13-027 pose a very serious threat and should be addressed immediately. As with any Patch Tuesday, you should review all of the security bulletins to determine the potential impact to your systems, and prioritize the patches accordingly.
While you’re at it, Adobe has released a new version of their Flash player, which addresses four critical vulnerabilities. Make sure you take a look at that and update Flash player as soon as possible as well.