Microsoft published the Advanced Notification for February 12, 2013 This Patch Tuesday is considered "Very Heavy" as Microsoft issued twelve Bulletins, five rated "critical" and the remaining six rated "important", addressing a wopping 57 vulnerabilities.
Five of the bulletins have a severity of critical, including bulletin 1 and bulletin 2, which both address Internet Explorer vulnerabilities affecting all versions of IE from 6 - 10, including on Windows RT running on the Surface tablet. Bulletin 3 is a critical Operating System level bulletin for Windows XP, 2003 and Vista, whereas users of the newer versions of Windows will not be affected. Bulletin 4 is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month's Critical Patch Update (CPU). The last critical vulnerability is covered by Bulletin 12 and affects only Windows XP, so again, users of the newer versions of Windows will be spared from having to apply that patch.
Bulletins 1 and 2 affects vulnerabilities in all versions of Internet Explorer. It is marked critical, and could lead to malicious code exploitation without any user interaction via drive-by downloading and exploit kits. Users of IE 10 will be updated automatically; but all other users should update ASAP. As an aside, it appears that this bulletin includes a number of updates to impact the Microsoft / Java issue.
Bulletin 3 labeled critical, affects XP and Vista, and Windows Server 2003 and 2008
Bulletin 4 [critical],” suggests Wolfgang Kandek, CTO at Qualys, “is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month's Critical Patch Update (CPU).”
Bulletin 5 can lead to remote code execution and affects Office and Server software. The main difference between the critical and important labels is that ‘important’ requires some user interaction – such as accepting a warning pop-up – while ‘critical’ requires none. Where end-user software is concerned, such as Office, this can be an academic rather than effective distinction. Some users automatically click ‘OK’ on OS warnings without any conscious interaction. Admins may generally be advised, then, to consider important end-user bulletins with the same urgency as critical bulletins.
Bulletins 6 and 10 address vulnerabilities that can lead to denial of serviThe remaining bulletins are all rated important and are mostly "Local Elevation of Privilege" type of vulnerabilities, meaning that one already has to be on the targeted computer to be able to attack them. One exception is Bulletin 5, which can be used for Remote Code Execution. It affects the FAST Indexing server for Sharepoint and it also caused by Oracle's update of the Outside In libraries that are used by Microsoft for document conversion processes. ce against Windows Server 2008 and 2012 (both), and also Vista and Windows (Bulletin 10). The remaining bulletins all address vulnerabilities that can lead to an escalation of privilege; “Meaning,” notes Kandek, “that one already has to be on the targeted computer to be able to attack them.” The problem with the modern advanced threat is that this may have already happened – possibly via the critical vulnerabilities that are dealt with in Bulletins 1 and 2.
Bulletin 12 (critical) affects XP SP3 only.
Special Notice: Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows, Linux, and Mac OS X. Update your Flash installations as quickly as possible - Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.
Bottom Line: Make sure your computers and servers run updates Tuesday night, and please reboot your equipment Wednesday morning!