Omphaloskepsis and the December 2013 Security Update Release

There are times when we get too close to a topic. We familiarize ourselves with every aspect and nuance, but fail to recognize not everyone else has done the same. Whether you consider this myopia, navel-gazing, or human nature, the effect is the same. I recognized this during the recent webcast when someone asked the question – “What’s the difference between a security advisory and a security bulletin?” The answer was simple to me, as I’ve been doing this for years, but the question was valid and it reminded me that not every person on the planet knows all of the ins and outs of Update Tuesday.

Given this month’s release, the question is timely, as we have 11 bulletins and 3 new advisories releasing today. As we look through today’s release, I thought it would be helpful to step back and take a closer look at some of the terminology we use frequently. Let’s begin by taking a look at the bulletins for December.

You may notice the graphic is significantly different from past months. In the new format, where you see circles throughout the deck, that’s the deployment priority. The numbers in squares represent the exploit index and the words in color indicate bulletin severity.

As we review our top bulletin deployment priorities for this month, let’s pause to review the official definition of a security bulletin.

Security bulletins include the following:

  • Details of all affected products
  • A list of frequently asked questions
  • Information about workarounds and mitigations
  • Any other information that IT staff needs to address the issue

But that doesn’t really explain why a security bulletin is released. Simply put, when there is a significant security-related update for something we ship, it goes in a security bulletin. If an issue in software can be corrected by applying new software, it becomes a security bulletin. Update for the Windows kernel? Security bulletin. Cumulative update for Internet Explorer? Security bulletin. Code problem with .NET Framework? Security bulletin. I think you see where I’m going with this.

This month, we have 11 security bulletins, 5 Critical and 6 Important in severity, addressing 24 unique CVEs in Microsoft Windows, Internet Explorer, Office and Exchange. For those who need to prioritize deployment planning we recommend focusing on MS13-096, MS13-097, and MS13-099.

MS13-096 | Vulnerability in Microsoft Graphics Component Could Allow Remote Code Execution
This security update resolves a publicly disclosed vulnerability in Microsoft Windows, Microsoft Office, and Microsoft Lync. The vulnerability could allow remote code execution if a user views content that contains specially crafted TIFF files. As we highlighted through ANS, this update fully resolves the issue first described in Security Advisory 2896666. For those who installed the Fix it released through the advisory, you do not need to uninstall the Fix it prior to installing the update, but we do recommend disabling the Fix it after installation to ensure TIFF images are displayed correctly.

MS13-097 | Cumulative Update for Internet Explorer
This security update resolves seven privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user.

MS13-099 | Vulnerability in Microsoft Scripting Runtime Object Library Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker convinces a user to visit a specially crafted website or a website that hosts specially crafted content. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

In addition to the security bulletins, we are also releasing three security advisories this month and revising one more. So how do security advisories differ from security bulletins? After all, sometimes we see updates included in Security Advisories as well – including advisories this month. What’s the difference?

The easiest way to think of advisories is to consider them as a call to action. With bulletins, updates are usually sent out through Windows or Microsoft Update. If you’ve enabled automatic updating, there’s no action for you – the update will be installed and if needed, your system will reboot. Even if you manually apply all updates, bulletins should require nothing more than installing a package and potentially restarting a service or system. Advisories cover topics that potentially affect your security but cannot be resolved through an update alone. Let’s look at the advisories this month as examples.

Security Advisory 2905247 – Insecure ASP.NET Site Configuration Could Allow Elevation of Privilege
This update enables administrators to configure their ASP.NET servers to ensure that view state MAC remains enabled at all times, as well as to provide general guidance on how to enable view state MAC on IIS servers.

In this instance, we’re not correcting faulty code; we’re allowing administrators to enforce a default behavior that’s more secure than the non-default setting.

Security Advisory 2871690 – Update to Revoke Non-compliant UEFI Modules
This advisory notifies customers that an update is available for Windows 8 and Windows Server 2012 that revokes the digital signatures for specific Unified Extensible Firmware Interface (UEFI) modules. The affected UEFI modules consist of specific Microsoft-signed modules that are either not in compliance with our certification program or their authors have requested that the packages be revoked. This update applies to nine private, third-party UEFI modules used for test purposes only.

While this may seem like something we can address through a security bulletin, these UEFI modules are not known to be in public distribution. In all likelihood, you are not affected. Your friends aren’t affected. No one you know is affected. Still, we can’t be 100% certain that no one is affected, so we’re releasing this advisory with instructions for checking just in case.

Security Advisory 2915720 – Changes in Windows Authenticode Signature Verification
This advisory informs customers of an impending change to how Windows verifies Authenticode-signed binaries. It also recommends that developers who sign binaries with Windows Authenticode ensure that their signatures conform to the change by June 10, 2014. The SRD blog covers additional technical details about the changes.

This is an interesting advisory on an interesting topic. It accompanies a security bulletin, MS13-098, which does address an issue in Windows. In addition to resolving a security issue through new code, the update also introduces new functionality. This advisory details the new functionality and provides guidelines to both administrators and developers. The advisory provide some suggested test scenarios to ensure your enterprise and executables are ready for the change. Again, since this change tightens security rather than addresses an issue, it’s more appropriate that we communicate this to you through an advisory.

Finally, we are also revising Security Advisory 2755801 with the latest update for Adobe Flash Player in Internet Explorer. The update addresses the vulnerabilities described in Adobe Security bulletin APSB13-28. For more information about this update, including download links, see Microsoft Knowledge Base Article 2907997.

If you’ve been intrepid enough to read this far down, watch the bulletin overview video below for a brief summary of today’s releases.

For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.

Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, December 11, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope this in-depth discussion of bulletins and advisories has been worth your time. If so, let me know what other topics you would like to see covered here. I never grow weary of talking about second Tuesday.

Thanks,
Dustin Childs
Group Manager, Response Communications
Microsoft Trustworthy Computing

No Comments