Microsoft Fixes 20 Exploits; Announces Surface Fixes, Windows Store App Patch Process

Microsoft pushes a big round of updates for Mar Patch Tuesday--including fixes for IE, Surface RT/Pro, Windows: SLBSL, USB drive executing malicious code and more. Windows Store App Security Updates Policy.

In the March 2013, Patch Tuesday, Microsoft releases total seven bulletins--addressing 20 vulnerabilities in Windows, Office, Internet Explorer, Server Tools, and Silverlight.

In addition, Microsoft has also revealed today that "we will deliver high quality security updates for Windows Store apps as they become available. The process for updating will be identical to any other type of update for a Windows Store app. The difference is that we'll document the security issue through a security advisory and we'll update the advisory when we release new updates," explains the company.

Out of the seven bullentins, four are of critical-class and three important-class include:

Microsoft March 2013 Patch Tuesday Bulletin Deployment Chart

MS13-021 resolves "nine vulnerabilities" in Internet Explorer--which are rated crticial for versions 6, 7, 8, 9, and IE10 on Windows clients---and moderate for version IE6, 7, 8, 9, and 10 on Windows servers. "The most severe vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer."

In addition. an update released today also addresses vulnerabilities in Adobe Flash Player in IE10 on Windows 8.

MS13-022 security update for Silverlight addresses remote code execution exploit.

MS13-027 kernel mode drivers issue in Microsoft Windows versions including 8, RT, 7, Vista, Server and XP--addresses the Windows USB drivers handle USB descriptors when enumerating devices.

According to KB 2807986, an attacker could add a maliciously formatted USB device to the system. "When the Windows USB device drivers enumerate the device, parsing a specially crafted descriptor, the attacker could cause the system to execute malicious code in the context of the Windows kernel," Microsoft explained.

Also, a hotfix KB2775511 - a massive Slow Boot Slow Login (SBSL) for Windows 7 and Windows 2008 R2 released today fix performance and stability issues.

"There are improvements to the DFSN client, Folder Redirection, Offline Files and Folders, WMI, and SMB client to name a few. There also improvements to Group Policy which gets blamed for pretty much everything when I'm doing a WDRAP," Microsoft writes.

You can download it over here.

Finally, KB2589345, which is supposed to bring fixes for the 64-bit editions of Microsoft OneNote 2010 on Windows 7 hangs up while deploying files--as the patch tries to install the 32-bit version of OneNote.

"Have Windows 7 64 bit, Office 2010 Home Edition 32-bit. The update is trying to install the 32-bit version of the OneNote update. Gets just over half-way through and just hangs," a user reported on Microsoft support forum.

Microsoft has also used this update to address several performance improvements and bug fixes for both the Surface RT and the Surface Pro. The update specifically brings:

  • "fixes to Wi-Fi reliability for better roaming,
  • improvements to the "limited" connectivity scenarios,
  • resolve issues with the integrated volume button,
  • improvments to Type and Touch cover typing experience on soft surfaces and when the devices and keyboard are lying flat,
  • and fix for random sound muting and to bring trackpad performance improvements," according to Microsfot support fourm.

Please watch the bulletin overview video below for a quick summary of today's releases.

Update 03/16: March 2013 Security Bulletin Webcast Questions & Answers video is released and fielded 13 questions, with specific bulletin questions focusing primarily on IE (MS13-021), SharePoint (MS13-024) and the update in MS13-027.