For the past four months – since the beginning of this year – we’ve had an extraordinary run of good luck in relation to Microsoft updates, with each Patch Tuesday bringing so few updates that we could count them on the fingers of one hand. Of course, we knew it couldn’t last forever; sooner or later the patching load was bound to go back to a more normal level. Sure enough, May brought – along with warmer weather in much of the world – a doubling of the patch load we’d gotten used to over the past few months.
May’s Patch Tuesday will be looking at a moderate but not outrageous number of updates: eight in all. Only two of these have been rated as critical, but the remaining six important updates include both the remote code execution and elevation of privilege variety, along with one that involves bypass of security features and one that could be exploited to launch a denial of service attack.
The critical update that’s at the top of the list addresses yet another remote code execution issue in Internet Explorer, coming hot on the heels of a zero day vulnerability in IE that was so serious it resulted in an out-of-band patch that we discussed in this blog just 10 days ago. This is, unfortunately for Microsoft, likely to result in further erosion of confidence in the Internet Explorer web browser, which was exacerbated by governmental agencies such as the U.S. Department of Homeland Security issuing warnings to use an alternate browser instead of Microsoft’s web browser. Once again, all supported versions of IE (in other words, IE 6, 7, 8, 9, 10 and 11) on all supported versions of the Windows operating system are at risk from this one. Only computers running the server core installation (that don’t have a web browser installed) escape this one unscathed.
In addition to IE, software products that are affected by this month’s updates include Windows, Windows Server software, Microsoft Office and the .NET framework that’s installed on many or most Windows installations. This means millions of computers will potentially be impacted by one or more of these vulnerabilities and will need to be updated as soon as possible.
The Microsoft Office updates affect Office 2007, 2010 and 2013, and that also includes Office 2013 RT. Office Web Apps 2010 and 2013 are also affected by one of the two Office-related updates, and SharePoint 2007 through 2013 is the server software that is affected by the second of the critical updates.
We will, of course, share more details with about these eight security updates as soon as we have a chance to check them out upon their release next Tuesday, so check back here on this blog then.