As usual, Microsoft has issued an advance notification for this month’s Patch Tuesday. The updates will become available on Tuesday, May 14 at about 10am PST.
There are ten bulletins this month, two of them flagged Critical. In total, 34 vulnerabilities in Windows, Office, Internet Explorer, .NET and server software will be addressed.
Update 2013May11: The upcoming patches will include a fix for the Internet Explorer 8 vulnerability recently discovered.
Microsoft today released a new version of the update that caused so many problems this past Patch Tuesday, MS013-036.
The new version is KB2840149, and it replaces the update originally associated with MS013-036, KB2823324.
The new update will be installed automatically on computers with auto-update enabled. Anyone using manual updates should install the new version by visiting the Windows Update site or the KB2840149 page.
According to Adam Gowdiak of Security Explorations, many of the Java vulnerabilities he reported to Oracle in recent months were fixed in the April update (Java 7, Update 21).
However, several of the reported vulnerabilities remain, and Oracle has confirmed that they are working on fixes for those issues.
On April 22, Mr. Gowdiak reported another new Java vulnerability to Oracle:
The new flaw was verified to affect all versions of Java SE 7 (including the recently released 1.7.0_21-b11). It can be used to achieve a complete Java security sandbox bypass on a target system. Successful exploitation in a web browser scenario requires proper user interaction (a user needs to accept the risk of executing a potentially malicious Java application when a security warning window is displayed).
Current Java status: vulnerable.
Details are on the Security Explorations web site (scroll to the end).
Update 2013Apr27: Ars Technica reports that exploits for the just-patched Java vulnerabilities are showing up in attack kits and being seen in the wild. If you use Java, patch it ASAP!
As expected, Oracle yesterday released a new update for the series 7 Java Runtime Environment (JRE). Java 7 Update 21 includes fixes for a whopping forty-two security vulnerabilities.
Adam Gowdiak of Security Explorations reports that several of the issues previously reported by him have apparently been fixed in Java 7u21. He points out that one issue in particular took six weeks to fix, and that this delay was unwarranted.
Update 21 also includes some general security improvements. Java will now pop up security warnings whenever unsigned Java code starts to run. Requiring Java code to be signed is going to annoy some users, but given the number of Java security issues in recent months, this is definitely a good idea. The Internet Storm Center has additional details.
Given that most of the fixed vulnerabilities can allow remote attackers to gain control of unprotected computers, we recommend installing the update as soon as possible on any computer running Java, especially those with Java enabled in web browsers.
Unfortunately, as with most Java updates, the announcement from Oracle leaves much to be desired. The date of the announcement is buried toward the bottom of the document. The version of the update is never mentioned. Instructions to users are needlessly complex.
Yesterday, Oracle announced that it will soon issue a significant update for Java. The update will include fixes for forty-two known security vulnerabilities, including thirty-nine that may be remotely exploitable without authentication. Apparently the update will also introduce some new general security improvements.
Ars Technica has additional details.
The update is scheduled for release later today (April 16, 2013).
Apparently some Windows users are encountering problems after installing last Tuesday’s Microsoft updates. One of the updates, KB2823324 (aka MS13-036), is causing system errors on some Windows computers.
Affected users are advised to follow the instructions in a new bulletin, KB2839011 – You receive an Event ID 55 or a 0xc000021a Stop error in Windows 7 after you install security update 2823324.
The original update has been pulled from the Windows Update site, and is no longer being pushed out to Windows computers with Autoupdate enabled.
Update: Microsoft is now saying that the update in question (KB2823324) should be removed from ALL Windows 7 computers. See bulletin KB2839011.
A new version of Chrome was made available today. Included in version 26.0.1410.64 is a new version of Flash (11.7), and some stability improvements.
Today, Adobe announced the latest version of Flash, 11.7.
The new version includes security improvements related to Firefox, and fixes several bugs.
The changes in Flash 11.7 will find their way into Internet Explorer 10 and Google Chrome in the near future, in the form of separate updates for those programs.
There are nine updates this month. They should be available from Windows Update by the time you read this. The updates fix security issues in Windows, Internet Explorer, Office and server software. Two of the updates are flagged as critical. If you want all the technical details, see the security bulletin for this month’s updates.
It’s that time again. Microsoft has posted its usual notification about the next Patch Tuesday. This month’s patch day is on April 9. Anyone using Windows Autoupdate will start seeing the patches around 10am on that day.
There will be nine bulletins/updates this month, two of which are Critical, addressing Windows, Internet Explorer, Office, and server software. The technical details are available in the associated Security TechCenter post.
boot13