Before we discuss this month’s release, I wanted to briefly touch on the big event happening this week. No, I’m not talking about the romantically-themed holiday on Thursday. I’m talking about the start of spring training and the return of baseball. There are a few things I am very passionate about and those who know me, know how much I love baseball. From playing, to coaching, to watching, it's how I spend most of my free time. Of course, those who know me also know I am passionate about defense, both on the field and off. As a catcher and with Trustworthy Computing, protection is just another part of the job.
When it comes to protections for computers, I usually point to our security updates (mentioned below), but I also like to bring up additional tools that people can use to protect their systems. The Enhanced Mitigation Experience Toolkit (EMET) is a free tool that offers great protection, but many people I talk to haven’t heard of it or don’t use it. If you are not familiar with EMET, it provides security mitigation technologies to make it more difficult for an attacker to exploit vulnerabilities in existing software – even those issues that are unknown. EMET does this by stopping known exploit techniques and allowing applications to opt-in to existing mitigations that already exist on your system, like Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR).
We’ve been recommending EMET for a while, and it’s great to see others endorse it as well. While quite a few folks have installed EMET on their home systems, the tool can be a bit daunting to configure at first glance. To help out, we’ve provided some easy installation and configuration tips for home users.
Now, on to today’s bulletins.
We’re releasing 12 bulletins, five Critical-class and seven Important-class, addressing 57 vulnerabilities in Microsoft Windows, Office, Internet Explorer, Exchange and .NET Framework. For those who need to prioritize deployment, we recommend focusing on MS13-009, MS13-010 and MS13-020 first:
MS13-009 (Microsoft Internet Explorer)
This security update resolves thirteen issues in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same rights as the current owner. The issues were privately disclosed and we have not detected any attacks or customer impact.
MS13-010 (Vector Markup Language)
This security update resolves an issue in the Microsoft implementation of Vector Markup Language (VML). The vulnerability could allow remote code execution if a user viewed a specially crafted webpage using Internet Explorer. This issue was privately reported and we have not detected any attacks or customer impact.
MS13-020 (Microsoft Windows)
This security update resolves an issue in Microsoft Windows Object Linking and Embedding (OLE) Automation. The vulnerability could allow remote code execution if a user opens a specially crafted file. An attacker who successfully exploited the vulnerability could gain the same rights as the current owner. This issue was privately reported and we have not detected any attacks or customer impact.
Please watch the bulletin overview video below for a quick summary of today’s releases.
As always, we recommend that our customers deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).
Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).
For more information about this month's security updates, visit the Microsoft Security Bulletin summary webpage.
Jonathan Ness and I will host the monthly technical webcast, scheduled for Wednesday, February 13, 2013, at 11 a.m. PST. I invite you to register here, and tune in to learn more about the February security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
I hope your team has a great spring, and I look forward to hearing your questions during the webcast.
Group Manager, Response Communications
Microsoft Trustworthy Computing