This month, I’m writing this blog post at 1:00 a.m. on U.S. Independence Day – the 4th of July – on a cruise ship in the middle of the ocean in route to beautiful Skagway, Alaska. Holiday or not, IT pros are looking for a sneak preview of what we’re facing on Patch Tuesday, and I’m sure many are keeping fingers crossed in hopes that the post-celebratory updating duties will go smoothly.
The bad news is: this isn’t going to be one of those always-welcome “two patch Tuesdays.” The good news is: it’s also not going to be one of those fifteen-patch back breakers. Microsoft is releasing six patches this time, with only a couple of them rated as critical and four more that are classified as important.
As is so often the case, the two critical patches will address vulnerabilities that can allow for remote code execution. This is, of course, one of the most dangerous types of exploits because it can enable an attacker to take over complete control of the targeted computer. Three of the important patches fix flaws that could be used to gain an elevation of privileges. Because an attacker could potentially capture administrative access through this type of exploit, it’s also a serious matter. However, given the lower severity rating, it’s likely that at least some of these are exploits that would require users to take some action – such as opening an email attachment or visiting a web site that contains the malicious code – and thus proper user education could help to prevent these threats from affecting your systems. The one remaining patch addresses a Denial of Service vulnerability.
Five of these patches are for vulnerabilities in various versions of the Windows operating system with one of the critical patches also pertaining to Internet Explorer. All supported versions of IE are affected (versions 6-11) on all supported versions of the Windows OS with the exception of server core installations (which, of course, don’t have web browsers installed). That includes Windows 8/8.1 and Windows RT. Bulletins 1-4 affect RT as well as the Intel-based versions of Windows, but Bulletins 5 and 6 do not. While rated critical on the client operating systems, the IE patch is only rated moderate on Windows Server, since IE is more locked down by default. The sixth patch affects Microsoft service bus for Windows Server (we’ll go into more detail about that in the Patch Tuesday Roundup).
In summary, it looks to be a moderately light Patch Tuesday. There are no patches for Microsoft Office programs this time – which can be counted as good news since it seems that most of the updates that have caused problems recently have been patches for Office. We will, of course, provide the nitty-gritty details on each of these as soon as they’re released, and if we get reports of any unpleasant side effects from the installation of any of the patches, we’ll get that news out to you as quickly as possible, along with any suggested solutions or mitigations. Always check the security bulletins themselves for detailed instructions on any special prerequisites before applying the patches, and it’s always best practices to test the patches before rolling them out on your production machines.
I’ll be back next week with the full low-down on these six patches and if we’re lucky, they won’t cause any fireworks.