Microsoft has announced that it is to release nine patches on its August Patch Tuesday to address five critical vulnerabilities.
All five bulletins fix remote code execution flaws in Windows, Internet Explorer and Exchange, while one patch fixes flaws in Microsoft Office, SQL Server, Server Software and Microsoft Developer Tools.
The remaining four patches are rated as ‘important' and fix flaws in Windows and Office, three of these fix remote code execution flaws, while one covers an elevation of privilege.
Paul Henry, security and forensic analyst at Lumension, said: “It's a busy Patch Tuesday this month, with lots of reboots, affecting all versions of Windows. Some of the updates this month will have far reaching impact and they include patches to new problems, updates to old problems and something that might cause you a little more work than you might have been anticipating this month.”
He identified bulletin four as the most important, as this affects all platforms of Windows and addresses an ActiveX component that's redistributed in many places in Windows.
“It's an issue that was previously patched and this patch cleans up the previous patch. It's a very high priority update because it is native in Windows and impacts all Windows platforms,” he said.
Henry also said that the second priority should be bulletin one, which is a cumulative update for Internet Explorer fixing four separate critical issues involving remote code execution.
“If you're running a remote desktop protocol in Windows XP, then bulletin two should be another very important update. There have been a few recent updates for RDP from Microsoft lately. This is a remote code execution issue and it is able to do it pre-off, so no authentication is needed. RDP is not on by default, but if you are using it, you should install it. This only affects Windows XP, but it is a high priority update,” he said.
Wolfgang Kandek, CTO of Qualys, identified bulletins one and five as being of particular interest. He said that bulletin one is the third consecutive update for Internet Explorer in as many months.
He said: “This new faster update frequency for IE is fruit of the streamlining that Microsoft has done in their QA process, but it also illustrates that there continues to be no shortage of browser vulnerabilities. All versions of IE are affected.”
Kandek said that bulletin five, an update for Exchange Server, will address the vulnerability caused by the Oracle component ‘Outside in', which was first reported and addressed by Oracle in their July Critical Patch Update (CPU).