Microsoft will not release any critical updates on its next Patch Tuesday.
According to an advanced notification, five "important" security bulletins addressing 15 vulnerabilities in Microsoft Windows and Office will be released on Tuesday 13 September. Two of the bulletins address issues in Windows, with one covering an elevation of privilege vulnerability and the other a remote code execution flaw.
The three Office patches cover an elevation of privilege vulnerability and a remote code execution flaw.
Adobe has said it will issue critical patches for its Reader and Acrobat products on the same day as the next Patch Tuesday. The updates will affect versions 10.1 and earlier of Reader X and versions 9.4.5 and 8.3 and earlier of Reader; versions 10.1 and earlier of Acrobat X; and versions 9.4.5 and 8.3 and earlier of Acrobat.
Amol Sarwate, vulnerability labs manager at Qualys, said: “Top priority should be given to remote code execution Microsoft Office patches that affect Excel 2003 through Excel 2010 and Office 2003 through Office 2010. Another high priority is the Windows patch that fixes a remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003 and Windows 2008.
“Other patches can be evaluated at a relatively lower urgency because attackers already need lower privilege access to the target system to execute the exploit. This includes the Windows 2003/2008 and SharePoint Server 2007 security update.”
Paul Henry, security and forensic analyst at Lumension, said: “Even with no vulnerabilities rated critical this period, the importance of quickly deploying these upcoming patches should not be overlooked. Prioritise the remote code execution issues first, followed by privilege escalation issues.”
Marcus J. Carey, security researcher and community manager at Rapid7, said: “It's easy for organisations to gain a false sense of security during a light patch month, and sometimes an attitude of complacency towards non-critical vulnerabilities is evident, but while there are no critical bulletins this month, organisations should not downplay the vulnerabilities being addressed.”