Patch Tuesday Preview: August 2013

Microsoft's advance notification for next week's August Patch Tuesday comprises eight updates
Microsoft's advance notification for next week's August Patch Tuesday comprises eight updates

Two of the critical updates are attracting the most attention: one for all supported versions of Internet Explorer "ranging from IE6 on Windows XP to IE10 on Windows 8 and RT;" while the other "affects all versions of Exchange, from 2003 to the newest version, 2013," explains Wolfgang Kandek, CTO at Qualys.

There is some debate over which of these should be given update priority by admins next week. Ross Barrett, senior manager in security engineering, Rapid7, thinks it should be the latter. "I would consider Bulletin #3 to be of the greatest concern," he believes, "as it affects all supported versions of Microsoft's Exchange Server and is rated as critical with remote code execution. If this is truly a remotely exploitable issue that does not require user interaction, then it's a potentially wormable issue and definitely should be put at the top of the patching priority list."

It is generally thought that the Exchange update has been necessitated by Oracle's earlier update to Outside In, which is used by Exchange. Computerworld reports Tommy Chin, a technical support engineer at CORE Security, explaining, "The remote code execution [vulnerability] within the Exchange server represents a threat to all companies using Exchange to run their e-mail service." He added, "What if all email suddenly became compromised? For most organizations, this scenario is simply unacceptable due to the sensitive information contained within today's email conversations."

But Andrew Storms, senior director of DevOps at CloudPassage, thinks the IE vulnerability should take precedence. "That's No. 1," he said, "nothing trumps an IE update. Browsers are the most targeted applications." Kandek agrees: "This will be the most important bulletin to implement."

Applying a little arithmetic, eWeek notes, "over the last 90 days, Microsoft has already issued fixes for at least 48 flaws in IE." Craig Young, a security researcher at Tripwire, takes this a bit further: "Desktop users browsing with any version of Internet Explorer should see this as another warning to migrate away from IE."

The third critical update applies only to XP and 2003. "Therefore," suggests Barrett, "for some organizations this patch may be of less concern, if they have already moved to newer Windows versions."

"The remaining five bulletins are all rated Important and consist of two Elevation of Privilege, two Denial of Service and one Information Disclosure," says Ziv Mador, director of security research at Trustwave. "All five of them impact various parts of Windows itself. Interesting that this month there doesn’t seem to be any Office, SharePoint, or other application level patches."

"All in all, not a bad month," suggests Paul Henry, a security and forensics analyst at Lumension.

What’s Hot on Infosecurity Magazine?