June Advance Notification: seven security updates to kick off the summer

As we move into the summer months, some of you IT pros might be dreaming about sipping fruity drinks underneath swaying palm trees on a beach far away – but the reality is that many of us never seem to get that much-needed vacation. There’s always another system to install, another problem to troubleshoot and, of course, another vulnerability to be fixed before an attacker can exploit it.

This month Microsoft will be releasing seven security updates for your patching pleasure. The good news is that only two of them are rated as critical and one of them won’t be relevant to you unless you’re running a Lync Server. The rest, though, affect Windows, Office and Internet Explorer, so there’s no getting around the need to update.

Both of the critical updates pertain to remote code execution vulnerabilities, as does one of those that are rated as important. A couple are vulnerabilities that could result in disclosure of information, one is a denial of service issue, and the last has a label we don’t see nearly as often: tampering.

The first bulletin, which addresses the most severe of the remote code execution vulnerabilities, affects Internet Explorer versions 6 through 11 (in other words, all supported versions) on all supported versions of Windows except server core installations of Windows Server 2008, 2012 and 2012 R2.

Although some sources have speculated that this could be a fix for a vulnerability that was publicly disclosed by TippingPoint Zero Day initiative last month, the fact that the subject of that disclosure only affected IE 8 and this update applies to all versions of IE would seem to argue against that, but of course the update could be designed to fix more than one vulnerability, as many are. This IE update may very well be a cumulative update that includes the previously disclosed vulnerability.

The second critical bulletin is interesting in that it spans software categories, affecting Windows, Office and Microsoft Lync. The critical rating applies to all supported versions of Windows, including the server core installations. It’s rating important for Office 2007 and 2010 but does not impact the Microsoft Office Compatibility Pack SP3 and Microsoft is not showing an impact on Office 2013/2013 RT.  It does apply to Microsoft Lync 2013, though, along with Lync 2010 and Microsoft Live Meeting 2007 console, and is rated critical for all three of those.

The bulletins themselves will be released according to Microsoft’s regular Patch Tuesday scheduling next week on June 10^th, at or around 10:00 a.m. Pacific Time. At 11:00 a.m. PST on that date, Microsoft will host a web cast where customers can get their questions about the bulletins answers prior to deploying them in the production environment.

Of course, none of these updates apply to Windows XP. We’re now two months into the XPocalypse – that is, this is the second round of updates to be released since Microsoft support for Windows XP (except in some very limited cases such as the U.K. government, which paid big bucks for extend support). According to NetMarketShare’s statistics, as of May 2014 over 25 percent of computers were still using the obsolete operating system and those aren’t just pirated copies from China; according to PC Pro’s U.K. site, 17 percent of British computers are still chugging along with XP and Forbes reported last month that approximately a third of the customers of GE Intelligent Platforms still use XP.

Some XP aficionados with hacking skills have even come up with a way to trick Windows Update into continuing to apply security patches to XP – but Microsoft has warned users against trying this, as the patches are not tested on XP and could end up doing damage to the functionality of the operating system. I guess that’s one way to finally get the holdouts to give up and upgrade to a newer OS.

Know someone who’s still running XP in a corporate environment? Do your part to convince him/her that it’s time to bite the bullet and make the transition to a more modern and more secure operating system. Friends don’t let friends run XP, especially on a business network.