After a small Patch Tuesday last month we are back to a normal size this month. We are getting nine bulletins with five allowing for Remote Code Execution (RCE), the category that we usually consider the most urgent. RCEs allow the attacker to take control of your machine and execute code on it, usually meaning a piece of malware, a Remote Access Trojan (RAT) or similar.
Bulletin #1 is the first update for an RCE type vulnerability (or more likely several). It is for Internet Explorer and affects all currently supported versions 6 to 11 on all operating system including Windows RT. An attacker would craft a malicious webpage and attract traffic to the page, for example through Search Engine Poisoning or by using web sites already under her control. This bulletin should be the highest priority for you whether you are enterprise or consumer.
Bulletin #6 is an update for Microsoft Office 2007 and 2010. Microsoft rates it as important, even though it provides RCE on the applications. We generally rate these bugs as critical and since attackers frequently focus on application level vulnerabilities you should apply bulletin #6 as soon as possible. Mac OS X users are also affected if they have Office 2011 installed, but we have not yet heard of attacks against Office on that platform.
Bulletin #2 is rated critical by Microsoft and addresses RCE type vulnerabilities in .NET. It affects all operating systems. High priority is you have .NET installed. Similar for Bulletin #3, which is for a critical vulnerability in the Windows operating system, since it allows for RCE. We believe it is located in one the graphics or media libraries.
Bulletin #5 is the last RCE style vulnerability in this month. It is Windows and rated important by Microsoft, meaning user interaction is involved in triggering the vulnerability. Most likely a file format vulnerability in one of the included utilities.
The remaining bulletins #4, #7, #8 and #9 are local vulnerabilities in Windows, Office and Microsoft developer’s tools.
We expect an update for Flash from Adobe as well.
In addition Oracle will publish their quarterly update next week on patch Tuesday. These are usually massive and address many software components of a typical enterprise. Tune in on Tuesday for more information.