Security experts stress urgency of patching Windows XML flaw

Microsoft released seven new security bulletins for the first Patch Tuesday of 2013--the most urgent being a patch for a flaw in XML.

Happy Patch Tuesday! Microsoft is kicking off the year with seven new security bulletins. There are five rated as Important, and two rated as Critical--but one in particular that has security experts concerned.

Andrew Storms, director of security operations for nCircle, stresses that MS13-002 will be a popular target for attackers and should be the top priority. "If you can't do anything else right away, at least patch this one post haste. This critical XML bug affects every version of Windows in one way or another because XML is used by a wide range of operating system components."

Tyler Reguly, technical manager of security research and development at nCircle agrees. "If you have to apply only one patch, pick this one and pay close attention to the number of products affected."

Of course, the XML flaw is only one of the Critical security bulletins this month. The other one is MS13-001, which deals with a flaw in the print spooler service on Windows 7 and Windows Server 2008.

Ross Barrett, senior manager of security engineering for Rapid7, explains, "It is an interesting defect in that an attacker could queue malicious print job headers to exploit clients which connect."

Barrett points out, however, that no organization should have a print spooler accessible outside the firewall, so remote exploit should be non-existent. He adds, though, that there is nothing to prevent an inside or local exploit, and that an attacker who has compromised a system through other means might be able to use this vulnerability from the inside.

One other area of concern, though, is the fact that there is a zero day vulnerability being exploited on Internet Explorer 6, 7, and 8 that is not addressed in this Patch Tuesday release. Microsoft has provided a Fix-It tool that guards against the known attacks in the wild, as well as the Metasploit exploit module. However, Exodus Intelligence discovered that there are other ways to trigger the vulnerability that are not addressed by the Fix-It tool.

Wolfgang Kandek, CTO of Qualys, urges IT admins to apply the Fix-It since it at least addresses the known attacks, but cautions them to also beware of the ongoing active threat. "IT admins in enterprises should track this vulnerability closely, as a large percentage of enterprises still run the affected versions of Internet Explorer 6, 7 and 8."

VMware's Research Development Manager, Jason Miller, suggests that IT admins make sure antimalware protection is kept up to date to guard against new attacks. He also points out that IE9 and IE10 are not affected and that one solution would be to simply upgrade to a newer version of the browser. Of course, that won't work for users still on Windows XP or older versions.

Storms expects Microsoft to release an out-of-band patch within the next couple weeks to address the IE zero day.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityRapid7Internet Explorerbusiness security

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place