Microsoft today patched 12 vulnerabilities in Windows, Office and several server and development products, but as it hinted last week, did not come up with a fix for the Internet Explorer (IE) bug that cyber criminals have been exploiting for at least a month.
Today was also a spring tide of sorts for patching, as Microsoft's updates were just some that vendors pushed to customers. Adobe also issued updates for Flash Player, Adobe Reader and Adobe Acrobat; Google shipped a new version of Chrome; and Mozilla delivered the next iteration of Firefox.
"More vendors are aligning with Patch Tuesday," said Jason Miller, VMware's manager of research and development. "That's not necessarily a bad thing, but with so many, it makes it harder to get your hands around what needs to be patched."
Two of Microsoft's seven security updates were marked "critical," Microsoft's highest-threat rating. The other five were tagged "important." Of the 12 vulnerabilities, only three were critical.
Security experts voted MS13-002, one of the two critical updates, as requiring immediate attention. The one-vulnerability update addressed a bug in XML Core Services (MSXML) in every supported edition of Windows, from the 11-year-old Windows XP to the two-month-old Windows 8 and Windows RT.
MSXML was last patched by MS12-043, another critical update, released in July. That vulnerability was one of several allegedly uncovered, then exploited, by an elite hacker group dubbed "Elderwood" by Symantec, which in September said the gang had an inexhaustible supply of "zero-day" bugs at its disposal.
"MS13-002 is at the top of the list because it affects so many components, applications and operating systems," said Andrew Storms, director of security operations at nCircle Security. Last week, Storms put his money on XML or GDI as the likely culprits for what Microsoft called "Bulletin 2" in its monthly advance notification for today's fixes.
Miller agreed. "Many users will have multiple XML Cores on their system, so there may be more than one patch applied," he warned.
MS13-002 affected not only Windows, but as Storms and Miller said, also Office 2003 and Office 2007; Expression Web, part of the Expression Studio web development suite; and SharePoint Server 2007, Groove Server 2007 and System Center Operations Manager 2007.
A few researchers dissented on the first-to-patch roll call. Paul Henry, a security and forensic analyst at Lumension, picked MS13-001 instead.
"[This] is probably the most important vulnerability," Henry said in an email. "From an attack perspective, you could create a bunch of print jobs with malformed headers, send them to the network printer so they queue up in order, and if someone else on the network prints to the same printer, Print Spooler will actually go through and enumerate all the pending print jobs, which gives you the remote code execution."
Storms and Miller, who both picked MS13-001 for this month's No. 2 spot, thought the single-vulnerability update was as interesting as did Microsoft, which detailed the bug on its Security Research & Defense blog today.
The vulnerability in Windows Print Spooler -- but only in the code contained within Windows 7 and Windows Server 2008 R2 -- could be used by attackers, who must already have network access, to spread malware within an enterprise, where shared printers and multi-function devices are a dime a dozen.
"[MS13-001] was disconcerting at first, reminded me of Stuxnet," said Storms, talking about the notorious worm of 2010 believed to have been jointly created by the U.S. and Israeli governments to sabotage Iran's nuclear program. Stuxnet relied on several vulnerabilities to infect and spread, including a print spooler bug.
"But it's more like a 'watering hole,' where [an attacker] puts something malicious in the spooler and the next user who comes along gets infected," said Storm.
Microsoft security engineers Ali Rahbar and Jonathan Ness called the attack vector for the MS13-001 vulnerability "a little different than previous spooler service vulnerabilities" when they explained why they devoted a blog to it.
Rahbar and Ness said that the bug could not be triggered unless a Windows 7 or Server 2008 R2 customer had "third-party software installed on the client that enumerates print jobs differently than built-in Windows components."
They did not name names -- something Microsoft's always hesitant to do, said Miller -- but were talking about proprietary printer drivers and utilities included with printers sold by the likes of Hewlett-Packard, Epson and others.
"Essentially those DVDs you get with the printer are what will trigger this," said Storms. The flaw, however, is not in that software, but in Microsoft's.
Other updates released Tuesday included one that quashed four bugs in the .Net development framework, which is bundled with every edition of Windows; another in Windows' kernel-mode driver that affected Vista, Windows 7, Windows 8 and Windows RT; and others that addressed vulnerabilities in System Center Operations Manager and the Open Data (OData) protocol.
Today's patches didn't end with Microsoft. Several other vendors also delivered updates. Adobe, for example, again patched Flash Player, the media software baked into Google's Chrome and Microsoft's IE10. And Mozilla pushed out Firefox 18, the newest edition of its every-six-weeks browser.
Among the torrent of patches, one not offered today was for the IE6, IE7 and IE8 zero-day bug that hackers have been exploiting since at least Dec. 7.
Neither Storms nor Miller thought Microsoft could wait until the next round of scheduled updates on Feb. 12, five weeks from today, to patch the IE bug -- not with reports of attacks coming from additional compromised websites, as well as claims by Exodus Intelligence that it's crafted exploits that sidestep both workarounds Microsoft has urged customers to use until a patch is provided.
"I wouldn't be surprised if they go 'out-of-band,'" said Storms, using the term for an emergency update. "They won't want to wait for five weeks, and there's enough pressure on them now to work on an out-of-band."
"They will go out of band on this," asserted Miller. "Windows XP users can't get to IE9, and there are a lot still running XP. I think they'll [have a patch] as soon as next week, and no later than two weeks."
IE9 and IE10 do not contain the bug, which according to Symantec, was used by the Elderwood group for cyber espionage. But because IE9 won't run on Windows XP, those customers are stuck with a vulnerable browser. Data from Web analytics company Net Applications puts XP's online usage share at 39% in December, meaning nearly four out of every 10 personal computer users runs the aged OS.
January's security updates can be downloaded and installed through the Microsoft Update and Windows Update services, as well as via WSUS (Windows Server Update Services), the de facto patching mechanism for businesses.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer, on Google+ or subscribe to Gregg's RSS feed. His email address is firstname.lastname@example.org.
Read more about malware and vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.