Patch Tuesday: What the experts are saying

Here's what experts are saying about the flood of Microsoft patches


Nine bulletins released on Patch Tuesday address 19 vulnerabilities, of which 15 are critical. Here's what experts are saying about the flood of Microsoft patches.

Windows was hit hard on Microsoft’s Patch Tuesday with eight of nine patches addressing issues in all the shipping versions of both the OS client and server.

Related story: Microsoft, Apple, Mozilla patches put heavy load on IT

The lone non-Windows patch fixes holes in Office, Visual Studio, ISA Server and BizTalk Server.

The nine bulletins in total address 19 vulnerabilities, of which 15 are critical. Here's what experts are saying about the flood of patches:

“Many people are going to be looking at the WINS (039) anonymous remote code execution attack as a potential worm vector, but they shouldn’t minimize the IIS denial of service attack or Bulletin 038. These vulnerabilities mean that anyone could become infected simply by opening a movie file. Who doesn't use the Internet these days to watch videos? This month had the potential to be the month of ATL bug fixes, but it has turned out to be more of a smorgasbord. These updates are going to require lots of IT resources for testing and deployment.” -- Andrew Storms, director of security operations, nCircle

“There’s no break from patching this summer. Microsoft is playing catch up with these patches as cybercriminals have already used some of the serious vulnerabilities to commandeer vulnerable Windows computers.” -- Dave Marcus, director of security research and communications, McAfee Avert Labs

“All of the ActiveX issues patched this month could be easily exploited and can impact even the average computer user. For example, any user who has Microsoft Office on their machine could be vulnerable to the Microsoft Office Web Components vulnerabilities. Similarly, every user with Windows XP SP3 or Vista could also be susceptible to one of the Remote Desktop Connection issues.” -- Ben Greenbaum, senior research manager, Symantec Security Response

“It’s been a long time since it has been so operating system focused. In the past year, 75% of more of the bulletins have been focused on Internet Explorer, Office and some of the media players. So this month to have four of them be server-side exploits – IIS 7.0, Workstation, MSMQ and Wins – is unusual. The server-side vulnerabilities are a hacker’s best friend. I have been keeping my eye out for them the past year and I have seen so few of them. It is like Microsoft software has gotten so much better, it is harder and harder to find the server-side vulnerabilities. It seems like they were all aggregated and released today. So if I am a hacker, I have quite the playground now to play in.” -- Eric Schultze, CTO, Shavlik Technologies

Follow John on Twitter:

Learn more about this topic

Apple patches 18 Mac vulnerabilities, ships OS X 10.5.8

Mozilla patches three public Firefox bugs

Network World: Patch management research page
Must read: 11 hidden tips and tweaks for Windows 10
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies