A Sneak Peek At Microsoft's August Patch Tuesday


As Microsoft prepares to release next week's August edition of Patch Tuesday, the emphasis turns to another round of patches for Internet Explorer, as well as a fix for Exchange Server that has many security experts openly concerned.

This month's dispatch includes nine bulletins from Microsoft, but a separate entry from Adobe ratchets up the number of key issues to 10. On the Microsoft list, five of the bulletins are rated as critical, and four are rated as important.

"Even more interesting than the Internet Explorer bug, the situation with Exchange Server is kind of scary," said Marcus Carey, security researcher at Rapid7. "If I'm running Exchange on the enterprise, I want to know more about that vulnerability because it's a remote code execution that is listed as critical. That means that an attacker can probably discover this from anywhere in the world and can probably leverage the vulnerability from anywhere in the world, too. If you can compromise Exchange Server, you can compromise that whole company, and oftentimes compromise the corporate partners of the company, too."

[Related: RSA Fraud Report: Security By the Numbers]

Carey's concerns were echoed by Wolfgang Kandek, chief technical officer at Qualys. "The issue involves a file conversion tool from Oracle that they initially fixed last month, and that piece of software still has a critical problem," he said. So this can be used as an attack vector in which the Exchange Server would then come under the control of the attacker. Microsoft published an advisory a couple of weeks ago that this was a problem and urged people to disable this component during the interim. So, now they will publish a patch for it. It's probably pretty close to the patch that Oracle already published."

A second critical issue involves an Internet Explorer vulnerability. Microsoft had been issuing IE patches only once every other month, but recently announced an accelerated testing process through which the patches can now be issued on a monthly basis. "This is good from a security standpoint, even though it might be a little bit of an inconvenience for some of the administrators," said Kandek.

NEXT: A Browser Battle