Microsoft will fix bugs in Internet Explorer, desktop and server editions of Windows and Visio for August Patch Tuesday.
Microsoft plans to patch 22 vulnerabilities in Internet Explorer,
Windows, Visio and Visual Studio as part of the August Patch Tuesday
Microsoft will release 13 security bulletins, two of which are rated
"critical," the company said Aug. 4. Nine were rated as "important" and
the final two were listed as "moderate" according to the preview
Even though there are more bulletins than the July update, the number
of vulnerabilities remained the same, which is unusual, considering
Microsoft recently has been alternating large updates with small ones.
August was expected to be a heavy month.
Considering there were 16 bulletins fixing 34 vulnerabilities in June
and 17 bulletins fixing 64 bugs in April, 22 vulnerabilities across 13
bulletins doesn't sound so big, after all. Even so, IT administrators
still have a lot of work ahead of them, as they may still be dealing
with the 78 patches from Oracle's July Critical Patch Update on July 19
and Apple's update for Mac OS X Lion on July 20, said Paul Henry,
security and forensic analyst for Lumension. "Microsoft is making IT
admins earn their Labor Day holiday," Henry said.
The bi-monthly update for Internet Explorer is rated as critical and is
most likely the one administrators should deploy first, Storms said.
The IE update is critical for all platforms and applies to all
versions, from IE 6 through 9 on Windows 7, Vista, XP, 2003 and 2008,
according to Microsoft. This would be the second update for IE9 in less
than five months since its release.
"If left unpatched, attackers could use this vulnerability to remotely
take control of victims' systems," said Wolfgang Kandek, CTO for Qualys.
Since the preview announcement doesn't provide any details on what the
actual flaw is being patched, users should limit their use of Internet
Explorer to only visit trusted sites and be careful about clicking on
links, said Marcus Carey, a security researcher for Rapid7. Servers
should never be used to browse the Internet, but many organizations do
so anyway, and "compromise their crown jewels," Carey said.
Concerned users should consider using an alternate browser, such as
Firefox or Chrome, until the patches are live, according to Carey.
"While multiple browsers can be an administrative headache at times, it comes in handy in situations like this," said Carey.
The other critical bulletin addresses flaws in the two newest versions
of Microsoft's server operating system, Windows Server 2008 and Server
2008 R2. While Server 2003 has the same vulnerability, Microsoft said
the update was only "important" for that version.
"Server administrators should apply patches immediately as this vulnerability also leads to remote code execution," said Kandek.
Nine bulletins are specific to Windows vulnerabilities, but five of
them won't apply to Windows XP. One of the bulletins addresses issues
in Windows 7 and Server 2008 R2, the latest versions of the desktop and
server software. Considering Vista shares a lot of code with Windows 7,
it was a little puzzling that the bulletin did not patch Vista,
according to Storms.
Microsoft is expected to update .NET framework, Visual Studio 2005
development tool and all supported versions of Visio. Microsoft also
patched a DLL vulnerability in Visio last month that could have been
exploited with a remote code execution attack.
"We have seen other Visio vulnerabilities fairly recently and recommend
including the software in your regular patching cycle and/or have users
not using that software remove it from their systems," Kandek