There are those I’ve met who think my life is something akin to the classic comedy Groundhog Day. No, I don’t wake up to the musical stylings of Sonny and Cher each morning, but month after month after month, the second Tuesday rolls around and I’m involved in releasing security updates. As you may have noticed, there’s a second Tuesday in every month.
I don’t say this to garner any sympathy. I enjoy what I do, primarily because I know it helps protect people. It’s the reason we started update Tuesday nearly 10 years ago, and the reason we continue it still today. We want our customers to know that if there’s a problem, we’ll be working on a solution. But there are some things that can affect your computing experience that I can’t directly control. For example, we can’t directly update third-party apps that you install from the Windows Store if they have a problem. But we can influence when they get updated.
Today we are announcing a new policy for how we’ll handle vulnerabilities in apps available through the Windows Store, Windows Phone Store, Office Store, and Azure Marketplace. As with second Tuesday, we’re doing this to help protect customers and to ensure the apps available in our stores are as secure as possible. Starting today, developers will be required to submit an updated app within 180 days of being notified of a Critical or Important severity security issue. This assumes the app is not currently being exploited in the wild. In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier.
We also realize there may be rare cases where a developer needs more than 180 days. Should that occur – it hasn’t so far – we’ll work with the developer to get an updated app replacement as soon as possible.
Now let’s talk about some other customer security protections the seven bulletins we released today – six Critical and one Important, addressing 34 vulnerabilities in Microsoft Windows, Internet Explorer, .NET Framework, Silverlight, GDI+ and Windows Defender. For those who need to prioritize deployment, we recommend focusing on MS13-053 and MS13-055 first. As always, customers should deploy all security updates as soon as possible. Our Bulletin Deployment Priority guidance is below, to further assist in deployment planning.
MS13-053 | Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution
This security update resolves two publicly disclosed and six privately reported vulnerabilities in Microsoft Windows. The most severe of these vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a malicious webpage that embeds TrueType font files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. We are aware of CVE-2013-3660 being used to achieve elevation of privilege in limited, targeted attacks.
MS13-055 | Cumulative Security Update for Internet Explorer
This security update resolves 17 issues in Internet Explorer that could allow remote code execution if a customer views a specially-crafted Web page using the browser. An attacker who successfully exploited these vulnerabilities could gain the same rights as the logged-on user. This security update is rated Critical for all versions of Internet Explorer, on all supported releases of Microsoft Windows. These issues were privately disclosed and we have not detected any attacks or customer impact.
Watch the bulletin overview video below for a brief summary of today’s releases.
Our Bulletin Deployment Priority graph provides an overview of this month’s priority releases (click for larger view).
Our risk and impact graph shows an aggregate view of this month’s Severity and Exploitability Index (click for larger view).
For more information about this month’s security updates, visit the Microsoft Bulletin Summary Web page.
Jonathan Ness and I will host the monthly bulletin webcast, scheduled for Wednesday, July 10, 2013, at 11 a.m. PDT. I invite you to register here, and tune in to learn more about this month’s security bulletins and advisories.
For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.
I look forward to hearing your questions about this month’s release in our webcast tomorrow.
Group Manager, Response Communications
Microsoft Trustworthy Computing