Microsoft plans to patch 22 vulnerabilities in Internet Explorer, Windows, Visio and Visual Studio as part of the August Patch Tuesday release.
Microsoft will release 13 security bulletins, two of which are rated "critical," the company said Aug. 4. Nine were rated as "important" and the final two were listed as "moderate" according to the preview announcement.
Even though there are more bulletins than the July update, the number of vulnerabilities remained the same, which is unusual, considering Microsoft recently has been alternating large updates with small ones. August was expected to be a heavy month.
Considering there were 16 bulletins fixing 34 vulnerabilities in June and 17 bulletins fixing 64 bugs in April, 22 vulnerabilities across 13 bulletins doesn't sound so big, after all. Even so, IT administrators still have a lot of work ahead of them, as they may still be dealing with the 78 patches from Oracle's July Critical Patch Update on July 19 and Apple's update for Mac OS X Lion on July 20, said Paul Henry, security and forensic analyst for Lumension. "Microsoft is making IT admins earn their Labor Day holiday," Henry said.
The bi-monthly update for Internet Explorer is rated as critical and is most likely the one administrators should deploy first, Storms said. The IE update is critical for all platforms and applies to all versions, from IE 6 through 9 on Windows 7, Vista, XP, 2003 and 2008, according to Microsoft. This would be the second update for IE9 in less than five months since its release.
"If left unpatched, attackers could use this vulnerability to remotely take control of victims' systems," said Wolfgang Kandek, CTO for Qualys.
Since the preview announcement doesn't provide any details on what the actual flaw is being patched, users should limit their use of Internet Explorer to only visit trusted sites and be careful about clicking on links, said Marcus Carey, a security researcher for Rapid7. Servers should never be used to browse the Internet, but many organizations do so anyway, and "compromise their crown jewels," Carey said.
Concerned users should consider using an alternate browser, such as Firefox or Chrome, until the patches are live, according to Carey.
"While multiple browsers can be an administrative headache at times, it comes in handy in situations like this," said Carey.
The other critical bulletin addresses flaws in the two newest versions of Microsoft's server operating system, Windows Server 2008 and Server 2008 R2. While Server 2003 has the same vulnerability, Microsoft said the update was only "important" for that version.
"Server administrators should apply patches immediately as this vulnerability also leads to remote code execution," said Kandek.
Nine bulletins are specific to Windows vulnerabilities, but five of them won't apply to Windows XP. One of the bulletins addresses issues in Windows 7 and Server 2008 R2, the latest versions of the desktop and server software. Considering Vista shares a lot of code with Windows 7, it was a little puzzling that the bulletin did not patch Vista, according to Storms.
Microsoft is expected to update .NET framework, Visual Studio 2005 development tool and all supported versions of Visio. Microsoft also patched a DLL vulnerability in Visio last month that could have been exploited with a remote code execution attack.
"We have seen other Visio vulnerabilities fairly recently and recommend including the software in your regular patching cycle and/or have users not using that software remove it from their systems," Kandek said.