Microsoft announced plans today to release six security bulletins as part of this month’s Patch Tuesday.
Of the six, two are rated ‘critical’, while three are rated ‘important’ and one is considered ‘moderate.’ The updates are for Microsoft Windows, and Microsoft Server Software and Internet Explorer, with the critical ones targeted at IE and Windows.
It’s the time of year where many people take vacation away from the office but this won’t be the month to push off patching, blogged Russ Ersnt, director of product management for Lumension.
“Datacenter administrators shouldn’t plan to be away too much next week since every bulletin impacts nearly every supported Windows Server version,” he added. “Two of the bulletins even impact Windows Server set to Core mode.”
Wolfgang Kandek, CTO of Qualys, called the IE bulletin the most critical, and noted it affects all versions of the browser from Internet Explorer 6 to Internet Explorer 11.
“This patch should be the top of your list, since most attacks involve your web browser in some way,” he blogged. “Take a look at the most recent numbers in the Microsoft SIR (Security Intelligence Report) report v16, which illustrated clearly that web-based attacks, which include Java and Adobe Flash are the most common.”
Bulletin 3, 4, and 5, he added, are all elevation of privilege vulnerabilities in Windows and affect all versions of Windows.
“They are local vulnerabilities, i.e they cannot be used to achieve code execution remotely through the network, but require that the attacker already haves a presence on the targeted machine as a normal or standard user,” Kandek blogged. “Exploits for these types of vulnerabilities are part of the toolkit of any attacker as they are extremely useful, when the attackers get an account on the machine, say through stolen credentials. In any practical scenario, the attacker then wants to assure continued control of the machine and will need to become administrator of the machine to install their controlling malware. This is where these vulnerabilities come in – we consider these extremely important to fix to help frustrate or slow down attackers once they are on the target machine.”
The final bulletin is rated ‘moderate’ and impacts Microsoft Service Bus for Windows Server, Ernst explained.
“Microsoft Service Bus is a messaging service used by many third-party web applications as well as by Microsoft Azure, so even though this is rated as Moderate, it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” he blogged.
The Patch Tuesday updates will be released July 8 at approximately 10 am PT.