Microsoft plans six Patch Tuesday fixes, RCE bugs in 'critical' batch
Remote code execution (RCE) flaws in Windows and IE will receive top priority this month.
Ahead of Tuesday's monthly security update, Microsoft has previewed six patches, which will address vulnerabilities in its Windows, Internet Explorer and Server software.
On Thursday, the tech giant released an advance notification for Patch Tuesday revealing two critical fixes for remote code execution (RCE) bugs in Windows and Internet Explorer (IE). In addition, three bulletins will address “important” elevation of privilege vulnerabilities in Windows, while a final update, ranked “moderate,” plugs a Microsoft Server hole allowing denial-of-service attacks.
The patches for Windows and IE RCE bugs were pegged top priority because they could allow RCE without user interaction – meaning saboteurs could easily spread malware to users as they engage in routine online activities like web browsing or checking email. Bulletins 1 and 2 are expected to bring a cumulative update for IE, affecting versions 6 through 11 of the web browser, as well as a security overhaul for Windows.
“The second critical bulletin hits just about every version of Windows, from Vista and Server 2008 to 8.1, so it will be important to look into,” Russ Ernst, director of product management at Lumension, wrote in prepared emailed correspondence to SCMagazine.com.
Ernst noted, however, that the last scheduled patch from Microsoft, Bulletin 6, included a moderate fix – “a severity [rating] we haven't seen released for a while now [which] impacts Microsoft Service Bus for Windows Server,” he said.
“Microsoft Service Bus is a messaging service used by many third party web applications, as well as by Microsoft Azure, so even though this is rated as ‘moderate,' it is probable that this vulnerability would be used in conjunction with other vulnerabilities to target those applications,” Ernst explained.
Ross Barrett, senior manager of security engineering at Rapid7, also addressed the denial-of-service fix, calling it the “odd one out this month” among the patches.
“[Service Bus is] part of the Microsoft Web Platform package and is not installed by default with any OS version,” Barrett wrote in prepared comments sent via email correspondence. “That said, if you have this component, you will probably care to patch this before script kids start knocking over your site,” Barrett said.