It might be the dog days of summer, but there’s no relief from the annoying task of updating .NET Framework.
To everyone’s surprise, Microsoft rereleased last month’s .NET updates for Windows. If you installed them, you’ll need to do it again.
Our regularly scheduled Internet Explorer fix
It’s a given that our first post–Patch Tuesday fix will be an IE update. KB 2862772 addresses various new vulnerabilities, including a fix for the DEP/ASLR-bypass exploit revealed at the CanSecWest 2013 Pwn2Own contest (more info). Pwn2Own was held this past March, and Microsoft is still patching vulnerabilities revealed at the contest. (Despite a flurry of patching before the contest, Chrome, Firefox, and IE 10 were all cracked, as reported in a ZDNet article.)
This update impacts all current versions of IE (including IE 11 Preview) and is rated critical for all workstation installations. (It’s rated moderate on Windows servers.) Security researchers expect to see exploits within the next 30 days; attacks will typically come from malicious websites.
What to do: Install KB 2862772 (MS13-059) as soon as offered.
A related kernel update to put on hold
According to an MS Security Research & Defense post, KB 2859537 also addresses the DEP/ASLR-bypass exploit revealed at the Pwn2Own contest. But unlike the above IE fix, this patch is for Windows.
As I’ve often noted, I make it a rule to delay installing kernel updates for a few weeks — they’re known to cause problems with security applications and other software. At the moment, I’m checking out reports of a potential BSoD triggered by KB 2859537, as noted in a Microsoft Community thread.