Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, April 08, 2013

Security updates likely to keep admins busy in April

Microsoft is to release nine security bulletins next week as part of its monthly Patch Tuesday security updates, aimed mainly at critical vulnerabilities in Internet Explorer and Windows 7. There is also an out-of-cycle update for Java from Oracle this month. In addition to the Microsoft updates, security administrators should note that the PostGreSQL Open Source project has published a new version of its database product that addresses five security flaws. One of them – CVE-2013-1899 – allows the attacker to delete database files without authentication, leading to data loss and denial of service.


According to the Security Bulletin Advance Notification for April 2013, the first critical update is for all versions of Internet Explorer (IE), including the newest IE 10, on Windows 8 and RT. This vulnerability should be at the top of patching priority lists as it allows remote code execution through users visiting a compromised website, which is of the most popular attack methods, said Wolfgang Kandek, chief technology officer at security firm Qualys.

Andrew Storms, director of security operations at nCircle, said it is almost certain that this month’s IE patch fixes the Pwn2Own bug from CanSec West.

The second Microsoft security update is aimed at a “critical” vulnerability that affects the Windows Operating System, except the newest versions – Windows 8, Server 2012 and Windows RT for tablets. “The vulnerabilities addressed in these bulletins typically allow the attacker an escalation of privilege from a normal user to an admin-level user once they are already on the machine or can trick the user to open a specifically crafted file,” said Kandek.

Ziv Mador, director of security research at Trustwave, said it would be interesting to find out how the vulnerability in Windows Defender was discovered and disclosed.

There is also an out-of-cycle update for Java from Oracle this month.


Posted on 04/08