Microsoft to release three critical fixes
Posted on 09 August 2013.
The August 2013 Patch Tuesday advance notification includes a slightly higher volume of fixes than last month, but only 3 of 8 are critical, which is down from July’s 6 of 7 critical fixes. However, in a reversal from last month, the advisories are focused on Windows operating system patches, plus one Exchange issue.

Remember that a “critical” rating from Microsoft factors in its exploitability and if the vulnerability has been responsibly disclosed. Given this, we could be looking at a number of issues that are in the wild.

I would consider Bulletin #3 to be of the greatest concern, as it affects all supported versions of Microsoft's Exchange Server and is rated as critical with remote code execution. If this is truly a remotely exploitable issue that does not require user interaction, then it's a potentially wormable issue and definitely should be put at the top of the patching priority list.

Bulletin #1 is the monthly patch for Internet Explorer’s critical issues and should be the second prioritized patch, given its rating and broad exposure.

The third critical issue is Bulletin #2 and only applies to Windows XP and 2003. Therefore, for some organizations this patch may be of less concern, if they have already moved to newer Windows versions.

The other five advisories, two Elevation of Privilege, two Denial of Service (DoS), and one information disclosure are spread across Windows versions, with the only remarkable point being that one of the DoS vulnerabilities applies exclusively to Server 2012.

Author: Ross Barrett, Senior Manager, Security Engineering, Rapid7.


(IN)SECURE Magazine issue 45 released

(IN)SECURE Magazine is a free digital security publication discussing some of the hottest information security topics. Learn about personal data bankruptcy and the cost of privacy, security and compliance, delivering digital security to a mobile world, and much more.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Mar 5th