A Sneak Peek At Microsoft's August Patch Tuesday8:37 PM EST Thu. Aug. 09, 2012
As Microsoft prepares to release next week's August edition of Patch Tuesday, the emphasis turns to another round of patches for Internet Explorer, as well as a fix for Exchange Server that has many security experts openly concerned.
This month's dispatch includes nine bulletins from Microsoft, but a separate entry from Adobe ratchets up the number of key issues to 10. On the Microsoft list, five of the bulletins are rated as critical, and four are rated as important.
"Even more interesting than the Internet Explorer bug, the situation with Exchange Server is kind of scary," said Marcus Carey, security researcher at Rapid7. "If I'm running Exchange on the enterprise, I want to know more about that vulnerability because it's a remote code execution that is listed as critical. That means that an attacker can probably discover this from anywhere in the world and can probably leverage the vulnerability from anywhere in the world, too. If you can compromise Exchange Server, you can compromise that whole company, and oftentimes compromise the corporate partners of the company, too."
[Related: RSA Fraud Report: Security By the Numbers]
Carey's concerns were echoed by Wolfgang Kandek, chief technical officer at Qualys. "The issue involves a file conversion tool from Oracle that they initially fixed last month, and that piece of software still has a critical problem," he said. So this can be used as an attack vector in which the Exchange Server would then come under the control of the attacker. Microsoft published an advisory a couple of weeks ago that this was a problem and urged people to disable this component during the interim. So, now they will publish a patch for it. It's probably pretty close to the patch that Oracle already published."
A second critical issue involves an Internet Explorer vulnerability. Microsoft had been issuing IE patches only once every other month, but recently announced an accelerated testing process through which the patches can now be issued on a monthly basis. "This is good from a security standpoint, even though it might be a little bit of an inconvenience for some of the administrators," said Kandek.
NEXT: A Browser Battle
Rapid7's Carey pointed out the browser fixes will likely continue at a fast pace for the foreseeable future.
"It seems that every month something happens to Explorer," he said. "It either impacts the browser itself or the browser plug-ins. It's so hard for hackers to get connected to the clients that they have to get to the browser. That's the new threat landscape. All the browsers have the same amount of heat on them. It's not just IE."
The other bulletins address problems in Windows and Microsoft Office. One, which is listed as critical, is believed by Carey to fix the remaining vulnerabilities in Microsoft XML Core Services. Another bulletin, which is rated important, affects Microsoft Office 2007 & 2010. A third bulletin, which is also rated important, affects Visio 2010.
Meanwhile, Adobe is plugging vulnerabilities in Adobe Reader and Adobe Acrobat. "These are both rated with the highest criticality, which means that administrators are being urged to patch within three days," said Kandek. "They seem to think that these vulnerabilities are easily exploitable."
PUBLISHED AUG. 9, 2012