At the end of each year, some folks take a moment to jot down predictions about what the coming year has in store. I, on the other hand, do not do predictions. I am neither prognosticator, seer, fortune teller, prophet, clairvoyant, soothsayer, nor medium; although I have been accused of being a thaumaturge and security gnome, but only in good ways, of course. Fortunately, Microsoft Trustworthy Computing’s own Tim Rains, director of product Management, has offered predictions about the security landscape in 2013.

Of the five, number four resonates most with me as we think about forthcoming security updates in the New Year;

Prediction #4: Software updating gets easier and exploiting vulnerabilities gets harder.

We’ve worked hard to ensure our security updates are as easy to install as possible, and thanks to technologies like automatic updating and Windows Software Update Services (WSUS), this is largely true. Still, we realize these technologies don’t cover all of the software that you may have installed on your system, and that’s why I’m counting on Tim’s predictions coming to pass. From Tim’s blog posting:

As vendors like Adobe, Oracle, and others make it easier and easier for customers to keep ubiquitous software updated, the window of opportunity for attackers to exploit old vulnerabilities will get smaller and smaller.

We may never have completely perfect software; however, it is encouraging to see the industry as a whole moving toward an easier update process.

Now, on to the news of the day; today we’re releasing seven bulletins, two Critical-class and five Important-class, addressing 12 vulnerabilities in Microsoft Windows, Office, Developer Tools and Windows Server. For those who need to prioritize deployment, we recommend focusing on the following Critical updates first:

MS13-002 (Microsoft XML Core Services)

This security update resolves two issues in Microsoft XML Core Services that could allow remote code execution if an affected system browsed to a specially crafted website. You’ll notice there are updates available for supported versions of Microsoft Windows and Office, as well as certain Developer Tools and Server Software. This means you may be offered more than one update for this issue. Along with all of the other bulletins releasing today, the issues were privately disclosed and we’re not aware of any attacks or customer impact.

Security Advisory 2755801

With this month’s release, we are revising Security Advisory 2755801 to provide the latest update addressing issues in Adobe Flash Player for IE 10. This is a cumulative update, which means customers do not need to install previous updates as a prerequisite for installing the current update. We remain committed to working closely with Adobe to deliver quality protections that are aligned with Adobe’s update process.

Security Advisory 973811

This advisory is being revised to add a Fix it that automatically sets Windows XP and Server 2003 systems to only allow NTLMv2. This has long been considered a best practice, and this release will make it even easier to implement. The KB article has also been updated to include all recommendations and best practices for various NTLM authentication scenarios. Applying the Fix it also enables the NTLMv2 settings required for users to take advantage of Extended Protection for Authentication as described in the advisory.

Please watch the bulletin overview video below for a quick summary of today’s releases.

As always, we recommend that our customers deploy all security updates as soon as possible. Our deployment priority guidance is below to further assist in deployment planning (click for larger view).

Our risk and impact graph shows an aggregate view of this month's severity and exploitability index (click for larger view).

For more information about this month's security updates, visit the Microsoft Security Bulletin summary webpage.

Andrew Gross and I will host the monthly technical webcast, scheduled for Wednesday, Jan. 9, 2013 at 11 a.m. PST. I invite you to register here, and tune in and learn more about the January security bulletins and advisories.

For all the latest information, you can also follow the MSRC team on Twitter at @MSFTSecResponse.

I hope all of your New Year’s resolutions are still intact, and all of your (positive) predictions for 2013 come true. I look forward to hearing your questions during the webcast.

Thanks,

Dustin Childs
Group Manager
Trustworthy Computing