Microsoft is prepping eight security bulletins for next week’s Patch Tuesday release.
Three of the bulletins are rated ‘Critical’, while the others are classified as ‘important.’ The critical updates address vulnerabilities in Microsoft Windows, Internet Explorer and Exchange. All of the critical updates address remote code execution issues, while the remaining five cover a mix of privilege escalation, denial of service and information disclosure issues.
“I would consider Bulletin number three to be of the greatest concern, as it affects all supported versions of Microsoft’s Exchange Server and is rated as critical with remote code execution,” said Ross Barrett, senior manager of security engineering at Rapid7. “If this is truly a remotely exploitable issue that does not require user interaction, then it’s a potentially wormable issue and definitely should be put at the top of the patching priority list.”
The second most significant bulletin is bulletin one due to its severity, multiple security experts said.
“To me, Bulletin 1 is most critical, as last time I saw an IE Remote Code execution of this caliber, I saw live malware exploiting it not too long after,” said Ken Pickering, director of engineering, CORE Security. “People are getting good at turning these IE vulnerabilities into web-based attacks.”
Bulletin two impacts legacy code, primarily Windows XP, noted Paul Henry, security and forensics analyst at Lumension. Support for XP ends in April 2014, so organizations should be sure to get their upgrade plans in place if they have not done so already, he added.
“With eight bulletins today, Microsoft’s year-to-date total is 65 patches,” he said. “For anyone keeping track, that’s seven more than what we had covered off on last year at this time. At the start of the year, we anticipated higher numbers in 2013 given Microsoft’s commitment to cleaning up the low-hanging fruit out there. Last year at this time there were 35 important patches issued; we now see 40. Our criticals in 2013 number 25, with 35 in total for 2012. Good news there.”
Patch Tuesday is scheduled for Aug. 13.