Summer is beginning to wind down and the kids will be back in school soon in many places. If you were hoping for a super light patch month to give you more time to get in that last trip to the beach, I have both good news and bad news. This month is nothing like last May, when we had 16 security bulletins to contend with, but it’s also not one of those four-patch months like we had at the beginning of the year. August is bringing us a total of nine security updates from Microsoft that will be coming down the pike next Tuesday.
The August 12 releases will include only two updates that are classified as critical. Both of these are – in keeping with the recent pattern for critical updates – of the remote code execution variety. One of the critical updates applies to Internet Explorer and Windows, while the other is a Windows update. The vulnerabilities that are addressed by the IE update apply to all currently supported versions of the web browser: Internet Explorer 6, 7, 8, 9, 10 and 11, on all supported Windows operating systems (server core installations, of course, are not affected since they don’t run the browser software).
The second critical update applies to Windows 7, Windows 8 and Windows 8.1 only. Windows RT and RT 8.1 are not affected, nor are any of the Windows server operating systems. This update also applies to the Windows Media Center TV Pack for Windows Vista.
The remaining seven updates are rated as “only” important. Bulletin #3 is listed as an Office update and I was surprised to see that it affects one of my favorite Office apps, and one that isn’t often the target of such updates: Microsoft OneNote. However, this vulnerability apparently exists only in an older version (OneNote 2007 SP3), so it’s probably not going to apply to a large number of users since there have been two newer versions of OneNote released since then. This is another remote code execution vulnerability, though, so if you do happen to be using that version of OneNote, it’s important to get it patched.
Bulletin #4 applies to Microsoft SQL Server and it affects versions 2008, 2008 R2, 2012 and 2014. This one could be exploited to bring about an elevation of privilege, and in fact the next three bulletins, #5, 6 and 7, all address elevation of privilege vulnerabilities. Bulletins 5 and 6 apply to Windows and once again, we’re talking about all supported versions of the OS. This time that even includes the server core installations of Windows Server. Bulletin 7 applies to SharePoint Server 2013, including 2013 with Service Pack 1.
The last couple of updates deal with security bypass features. Bulletin #8 impacts the .NET Framework in Windows, and Bulletin #9 is applicable to Windows 7, 8, 8.1 and RT 8 and 8.1, as well as Windows Server 2008 R2, 2012, 2012 R2, and the server core installations of Windows Server. It doesn’t apply to the older versions of Windows that are still supported (Vista, Server 2003 SP2 and Server 2008 SP2).
It’s a substantial package of updates, but with luck the process will go smoothly and there will still be time afterward to get out there and enjoy the summer sun while we still can.