Microsoft lines up biggest Patch Tuesday of the year
Microsoft Lines Up Biggest Patch Tuesday of the Year
Second update this month covers critical flaws in IE and SharePoint.
Microsoft is breaking with recent tradition by announcing its heaviest patch load of the year so far for next Tuesday, including two critical updates for Internet Explorer and SharePoint which will affect a large swathe of businesses. The update - which Microsoft announced on Thursday - includes 8 bulletins in total, covering IE, Windows, Office and SharePoint. The two critical bulletins both reference remote code execution vulnerabilities. The SharePoint update covers SharePoint Server 2007, 2010 and 2013 as well as Microsoft Web Apps 2010 and 2013. According to Ross Barrett, security engineering senior manager at Rapid7, “this may prove to be a legitimate remotely exploitable issue, and definitely where I would focus my remediation resources first”. However, a close second when it comes to priorities will be the IE patch, especially for those businesses still stuck on XP. “The IE critical is the first that clearly would have applied to Windows XP, but for which a patch is not available”, said Barrett.
“IE 6, 7, and 8 are vulnerable on Windows 2003 SP2. This would historically have mapped to the same scope of XP patches, but not this time. Anyone still using XP just got a little less secure – not that they were well off to begin with”.
The remaining bulletins are all rated “important” and include remote code execution, escalation of privilege and denial of service vulnerabilities. According to Lumension director of product management, Russ Ernst, they cover a broad sweep of software categories. “Bulletin 3 is a possible remote code execution that hits Office; bulletin 4 is for most versions of Windows. Windows and the .NET framework are covered off in bulletin 5 with an elevation of privilege issue”, he explained. “The sixth and seventh bulletins impact most versions of Windows with elevation of privilege and denial of service issues respectively. The last bulletin addresses a security feature bypass issue in Office".
In addition, Windows 8.1 users must remember to upgrade to Windows 8.1 Update – released last month – if they want to receive updates. Four of the bulletins listed, including the critical IE update, affect this OS version. Next Tuesday’s update will be the second this month after Microsoft was forced to issue an out-of-band patch for Internet Explorer on May 1. The update was released to deal with a zero-day exploit for Internet Explorer targeting out-of-support Windows XP machines, and spotted in the wild last month being used by an APT group.