Microsoft today released its Advanced Notification for June containing seven bulletins addressing a total of 25 vulnerabilities. This is the same number of bulletins as last month and we are also getting the same number of 'critical' issues: three receive the highest rating, while four are the 'important' level. The bulletins affect all versions of Windows, the .NET framework, Microsoft Office, and Dynamics AX, the Microsoft ERP application.
Bulletins 1,2 and 3 are the critical bulletins for Windows. Bulletin 1 is for a vulnerability in Windows rated 'moderate' on XP, but 'critical' on all other versions of Windows including Windows 7. Bulletin 2 brings a new version of Internet Explorer (6,7,8,9 depending on Operating System) that include the fixes for the attack disclosed at the PWN2OWN contest in March. Bulletin 3 is an update to the .NET framework, again applicable to all versions of Windows currently supported.
Bulletin 4 is an update for Office, rated important, which in the Office context is roughly as severe as critical, as it usually indicates that the user needs to open a file to trigger the attack. Opening a file is an action completely natural to users of Office, so it does not really present a safeguard against this attack. Upgrading to the latest version of Office does represent a good safeguard in this case, as Office 2010, while affected by this vulnerability, is apparently immune to its triggering condition. Users of Office 2003 and 2007 should update as quickly as possible; Office 2010 users can apply the update at their leisure.
Bulletin 5 will only be interesting to a small subset of our users. It covers a vulnerability in Microsoft’s ERP portal Dynamics AX.
Bulletins 6 and 7 are local elevation of privilege vulnerabilities in Windows and are rated 'important'. However Vista users do not need to worry about Bulletin 7.
Most users should focus on bulletins 1-4, Windows and Office, together with the important security announcement from Microsoft regarding the abuse of a Microsoft certificate in the signing of the Flame malware. If you have not installed the update in Security Advisory 2718704 yet, you should plan on rolling it out as quickly as possible at least together with the other critical patches next week. It is a simple patch that only removes the offending certificates from the the system certificate store and will harden the OS against the expected use of the Flame signing technique by future Malware.
Also Oracle will publish an update of its Java version that we expect to be of critical importance. Stay tuned for more information from us next week.