Businesses will want to jump on patches that fix vulnerabilities to the gamut of Microsoft Exchange Server versions that are flagged in next week's Patch Tuesday alerts.
“This month’s remediation is all about the Exchange servers,” says Tommy Chin, a technical support engineer at CORE Security. The critical alert affects all supported versions of Exchange Server - Exchange Server 2007 Service Pack 3, Exchange Server 2010 SP 2 and 3, and Exchange Server 2013, cumulative updates 1 and 2.
TECH DEBATE: Google Gmail vs. hosted Microsoft Exchange
Chin says Exchange’s reliability is generally taken for granted. “However, what if all e-mail communications suddenly became compromised?” he says. “For most organizations, this scenario is simply unacceptable due to the sensitive information contained within today’s e-mail conversations.”
Ross Barrett, senior manager of security engineering at Rapid7, agrees. “If this is truly a remotely exploitable issue that does not require user interaction, then it's a potentially wormable issue and definitely should be put at the top of the patching priority list,” Barrett says.
Another critical alert, Bulletin 1, affects current versions of operating systems Windows 8 (and Windows RT) and Windows Server 2012, as well as earlier versions back through Windows XP and Windows Server 2003.
There are no details on what the exact vulnerabilities are but being ranked critical means they could allow code execution even if the user doesn’t interact with the attack. Self-propagating malware and code execution without warnings or prompts are exploits that fit this category. Examples include browsing an infected Web page or opening a malicious email.
“To me, Bulletin 1 is most critical,” says Ken Pickering, the director of engineering at CORE Security. “The last time I saw an IE Remote Code execution of this caliber, I saw live malware exploiting it not too long after. People are getting good at turning these IE vulnerabilities into web-based attacks.”
Bulletin 1 affects Internet Explorer from Version 6 to Version 10 as deployed on all Windows client operating systems from Windows XP to Windows 8 including its ARM version, Windows RT. It also affects Windows Server 2003, 2008, 2008 RR2 and 2012.
Three out of eight bulletins this month are critical, possibly facilitating remote code execution on victim machines. The rest of the bulletins are ranked important, two allowing elevation of privileges by attackers, two threatening denial of service and one that could allow disclosure of information on the attacked machine.
Paul Henry, a security and forensics analyst at Lumension, notes that the bulleting count for this year so far is up seven over last year at this time, but this year so far there are 10 fewer critical ones.