Microsoft is prepping eight security bulletins for next week’s Patch Tuesday release.
Three of the bulletins are rated ‘Critical’, while the others are classified as ‘important.’ The critical updates address vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. All of the critical updates address remote code execution issues, while the remaining five cover a mix of privilege escalation, denial of service and information disclosure issues.
“I would consider Bulletin number three to be of the greatest concern, as it affects all supported versions of Microsoft’s Exchange Server and is rated as critical with remote code execution,” said Ross Barrett, senior manager of security engineering at Rapid7. “If this is truly a remotely exploitable issue that does not require user interaction, then it’s a potentially wormable issue and definitely should be put at the top of the patching priority list.”
The second most significant bulletin is bulletin one due to its severity, multiple security experts said.
“To me, Bulletin 1 is most critical, as last time I saw an IE Remote Code execution of this caliber, I saw live malware exploiting it not too long after,” said Ken Pickering, director of engineering, CORE Security. “People are getting good at turning these IE vulnerabilities into web-based attacks.”
Bulletin two impacts legacy code, primarily Windows XP, noted Paul Henry, security and forensics analyst at Lumension. Support for XP ends in April 2014, so organizations should be sure to get their upgrade plans in place if they have not done so already, he added.
“With eight bulletins today, Microsoft’s year-to-date total is 65 patches,” he said. “For anyone keeping track, that’s seven more than what we had covered off on last year at this time. At the start of the year, we anticipated higher numbers in 2013 given Microsoft’s commitment to cleaning up the low-hanging fruit out there. Last year at this time there were 35 important patches issued; we now see 40. Our criticals in 2013 number 25, with 35 in total for 2012. Good news there.”
Patch Tuesday is scheduled for Aug. 13.
More from Brian Prince
- U.S. Healthcare Companies Hardest Hit by ‘Stegoloader’ Malware
- CryptoWall Ransomware Cost Victims More Than $18 Million Since April 2014: FBI
- New Adobe Flash Player Flaw Shares Similarities With Previous Vulnerability: Trend Micro
- Visibility Challenges Industrial Control System Security: Survey
- Adobe Flash Player Zero-Day Exploited in Attack Campaign
- Researchers Demonstrate Stealing Encryption Keys Via Radio
- Researchers Uncover Critical RubyGems Vulnerabilities
- NSA, GCHQ Linked to Efforts to Compromise Antivirus Vendors: Report
Latest News
- Android’s June 2023 Security Update Patches Exploited Arm GPU Vulnerability
- BBC, British Airways, Novia Scotia Among First Big-Name Victims in Global Supply-Chain Hack
- Sysdig Introduces CNAPP With Realtime CDR
- Stay Focused on What’s Important
- VMware Plugs Critical Flaws in Network Monitoring Product
- Google Patches Third Chrome Zero-Day of 2023
- Hackers Issue ‘Ultimatum’ Over Payroll Data Breach
- US, Israel Provide Guidance on Securing Remote Access Software
