Microsoft announced its lineup for next week’s Patch Tuesday. We will get 14 bulletins, already bringing the number for this year to 80 in September. We are well on our way to get more than 100 bulletins this year compared to 83 in 2012 and exactly 100 in 2011, a good reflection of how challenging the computer security business continues to be.
Of the 14 bulletins, the first eight are rated as “Remote Code Execution,” which is the type of weakness that attackers are after when looking for ways to get into your network. Bulletins #1 to #4 are rated “critical” by Microsoft indicating that they can be exploited only with user interaction. Bulletin #1 is for Sharepoint Server and should be the highest priority on the list for your server administrators, after diligent testing to assure that the patch does not impact any business critical functionality. Bulletin #2 should be high priority for your desktop security team; it addresses a flaw in Microsoft Office that can be triggered simply by previewing an e-mail in Outlook, even without explicitly opening the e-mail. Outlook in Office 2007 and 2010 is affected.
Bulletin #3 is a critical update for Internet Explorer (IE) affecting all versions starting from IE6 to IE10 and including Windows 8 and Windows RT. Bulletin #4, the last critical bulletin, addresses a flaw in Windows, but only affects the soon-to-be legacy operating systems Windows XP and Windows Server 2003. You should be phasing those out by now since they lose support for security patches in April of next year, similar to Office 2003 which will also lose support in April. Those operating systems and the Office suite will then start to accumulate unfixed vulnerabilities and become a magnet for attackers who will have access to easy-to-use and surefire tools to exploit setups that run on XP/2003 or that have Office 2003.
Of the remaining bulletins #6, #7 and #8 are priorities as they all address issues in Office (Word, Excel and Access) that can be used to take control over a targeted machine. All versions of Office from 2003, 2007, 2010 and 2013 are affected and bulletin #7 also applies to Excel on Mac OS X Office 2011.
Overall it’s a sizeable Patch Tuesday focused mainly on desktop vulnerabilities, at least if you do not run Sharepoint Server.