Microsoft's Patch Tuesday plan for Aug. 14: 9 bulletins, 5 critical

Microsoft's next patch load will cover just about all of its major products.

Microsoft just released it's advance notification for Tuesday's patch release. The expected load for August: nine bulletins -- five of them critical -- for security holes in Microsoft Office, SQL Server, Server Software, Developer Tools, Windows, Internet Explorer and Office. In other words, all major Microsoft technology is affected.

Here's the early reaction so far:

Alex Horan, senior product manager, CORE Security

“This month’s patches look like a hacker’s playground. All but one of the bulletins are Remote Code Execution and five are critical. This is intriguing for both the good and the bad guys. Bulletin 1 is a critical remote code execution and appears to target all current Windows desktop and server versions. It appears to require IE so would be a great Client Side candidate and I expect a lot of attention to be paid to this vulnerability when the details are announced. Bulletin 3 has some interest as it appears to be a network based vulnerability but it is only critical in XP, 2003, so while I would look into it, my first priority would be Bulletin 1.”

Marcus Carey, security researcher at Rapid7

“For the second month running, Microsoft’s Patch Tuesday Advanced Notification includes nine bulletins. This month, five are rated ‘critical’ and four ‘important’.

“This month is a mixed bag of critical bulletins which affects workstations, browser, server, and productivity products. Bulletin 1 is rated critical and will address Internet Explorer 6, 7, and 8. Browser bulletins always deserve attention since client-side browser attacks are the de facto way to compromise corporate networks.

“Microsoft Office products have three bulletins dedicated to them. Bulletin 4 is a critical bulletin which looks like it may fix the remaining vulnerabilities in Microsoft XML Core Services. Bulletin 8, rated important, affects Microsoft Office 2007 & 2010. Bulletin 9 is also rated important and affects Visio 2010. It should be noted that one or more of these Office-related vulnerabilities could also affect Mac users.

“Bulletin 5 is one to pay attention to since it addresses a critical remote code execution vulnerability in Microsoft Exchange. This is interesting from an exploitation standpoint because Exchange servers are usually exposed on the Internet. When attackers hear “remote code execution on Exchange” it’s music to their ears. They could see potential for remote discovery, remote exploitation and propagation of attacks since Exchange is the epicenter of most organizations’ communications. Email servers are prime targets for exploitation.”

Stay tuned...

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline