Microsoft Patch Tuesday Update Contains No Critical Fixes

Microsoft’s next Patch Tuesday bulletin is slated for September 13.

The five patches, ranked by Redmond with the slightly less severe ranking of “important,” fix security bugs in Microsoft Windows, Office and Server Software.

Three of Microsoft’s Patch Tuesday updates repair holes that allow remote code execution attacks, which typically enable hackers to launch malicious code on victim computers remotely, and often without any user intervention.

The remaining two patches plug holes that enable elevation of privilege exploits. All five updates will likely require a restart from the user.

“This is the first patch Tuesday in recent times that does not have a single critical update. It is also a relatively small update and is consistent to the cycle of smaller patches every other month,” said Amol Sarwate, vulnerability labs manager for security firm Qualys , in an e-mail, adding that in light of the relatively easy patch load, security experts anticipated a “smooth deployment of these patches by IT departments who are already used to the Microsoft Patch Tuesday cycles.”

However, despite the absence of critical patches, Sarwate said that a few updates should be prioritized. Among the first to be installed should be the two Microsoft Office patches, affecting Excel 2003 through Excel 2010 and Office 2003 through Office 2010, which enable remote code execution attacks, he said.

Another top priority should be the Windows patch that repairs a remote code execution flaw in XP, Vista, Windows 7, as well as Windows 2003 and Windows 2008, he added.

“Other patches can be evaluated at a relatively lower urgency because attackers already need lower privilege access to the target system to execute the exploit,” Sarwate said. “This includes the Windows 2003/2008 and SharePoint Server 2007 security update.”

While the impending Microsoft patch represents the first in recent history devoid of critical fixes, experts underscore that users should still be vigilant about installing the updates in a timely manner.

“It's easy for organizations to gain a false sense of security during a light patch month and sometimes an attitude of complacency towards non-critical vulnerabilities is evident," said Marcus Carey, security researcher at security firm Rapid7. "But while there are no ‘critical’ bulletins this month, organizations should not downplay the vulnerabilities being addressed."

Carey said that while ‘important’ vulnerabilities may not enable attackers to access full root privileges generally associated with ‘critical’ vulnerabilities, they could use an “important”-rated vulnerability to initially achieve compromise and then escalate privileges by other means.

“By using an ‘important’ vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organizations understand that all five of these ‘important’ bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly,” he said.