Are you ready for the first Patch Day of 2013? If you run a Microsoft shop (Mac users need not apply this month), get ready as you’ll want to install some of today’s updates as soon as you can.
As promised, Microsoft released seven security bulletins and software updates today, two of which they rate as Critical. The seven updates fix 12 vulnerabilities in products like Windows, XML Core Services, the .NET Framework, and their System Center Operation Manager. The impact of these vulnerabilities ranges widely from allowing a remote user to execute arbitrary code, to basic Denial of Service (DoS) issues. If you manage any of the affected products, I recommend you apply the updates quickly—particularly the Critical ones.
As I mentioned in last week’s notification, Microsoft is not releasing a fix for the recent Internet Explorer (IE) zero day vulnerability today. They simply haven’t had time to fully craft the patch since the exploit’s first discovery. However, Microsoft has released a FixIt, which partially mitigates the issue. While I recommend you apply the FixIt, do know a security research organization has found it doesn’t prevent all forms of this particular attack. So you’ll still want to jump on Microsoft’s real patch once they release it. In the meantime, if you use one of WatchGuard’s XTM appliances with the IPS service, we have a signature that protects you from the known exploits for this IE zero day flaw.
I’ll post more detailed alerts throughout the day, but until then feel free to refer to Microsoft’s January bulletin matrix below (click the image for more detail). — Corey Nachreiner, CISSP (@SecAdept)