Microsoft will release 14 bulletins to address 34 vulnerabilities on its monthly Patch Tuesday tomorrow.
Angela Gunn, security response communications manager at Microsoft said that the release will fix flaws in Windows, Microsoft Office, Internet Explorer and Silverlight, with eight of the bulletins marked as critical and six as important.
Five of the bulletins cover a critical remote code execution flaw in Windows and one each in Internet Explorer, Office and Silverlight. The important rated patches cover four elevation of privilege vulnerabilities in Windows, and a remote code execution in both Windows and Office.
Gunn said: “As always, we recommend that customers review the ANS summary page for more information and prepare for the testing and deployment of these bulletins as soon as possible.
“This will be the most bulletins we have ever released in a month; we have released 13 bulletins on a couple of occasions. However, in total CVE count, this release ties with June 2010, so there's no new record there.”
Wolfgang Kandek, CTO at Qualys, said that in addition to last week's out-of-band patch for the Windows shortcut vulnerability, the total patches for August number 14.
He said: “Including the LNK update, nine bulletins have a rating of critical and affect all version of the Windows OS, Internet Explorer, Silverlight and Microsoft Office. Windows 7 and 2008 R2 have a smaller number of critical vulnerabilities than Windows XP and 2003 in function of their improved security architecture, but are still affected by two critical vulnerabilities each.
“Internet Explorer, Office and Silverlight updates apply across the board on all Windows versions. They are examples of the increasingly used type of flaw, where attackers and malware go through the installed applications rather than through the core operating system.
“Windows XP SP2 users do not have any patches supplied to them, even though the five critical vulnerabilities for XP SP3 most likely apply to their discontinued version of the OS as well. Windows XP SP2 users should upgrade to SP3 as quickly as possible.”
Asked if this will prove to be a busy day for IT administrators, Greg Lambert, technology director of ChangeBASE said that there is a pattern to the Patch Tuesday updates from Microsoft so far this year.
He said: “Microsoft is always one month behind and would have worked hard in July to get stuff done and in September we will get two or three patches as this is the holiday period. Microsoft wanted to get as much done as possible in July so that they can release these tomorrow and have an easier time in August.”
Alan Bentley, SVP international at Lumension, said: “Any last ditch effort to enjoy the end of summer is being put off with another huge Patch Tuesday. More than half of the patches in this months update are critical, requiring a restart and impacting almost any Microsoft platform.”
He also pointed to Adobe's announcement that it will patch vulnerabilities in its Reader and Acrobat, including CVE-2010-2862, which was discussed at the recent Black Hat Conference. It said that it is not aware of exploits in the wild for any of the issues.