Internet Explorer, Office and Lync collaboration software are the targets of two critical security bulletins for Microsoft’s June Patch Tuesday, marking the halfway point in 2014 with 30% fewer bulletins than the company had issued at this point last year.
The first critical bulletin affects Internet Explorer versions 7, 8, 9, 10 and 11 as well as Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows RT and Windows RT 8.1.
+ Also on Network World: New attack methods can 'brick' systems, defeat Secure Boot, researchers say | NSA program aims to authorize commercial security offerings | Mobile ads pose serious threat to enterprise security, report warns +
The bulletin is expected to be a cumulative patch that incorporates two previous fixes that Microsoft issued out-of-band from the regular Patch Tuesday schedule, says Qualys CTO Wolfgang Kandek. They were deemed important enough to warrant special treatment and now are likely being wrapped into the standard set of patches. “This one is top of the list for you to fix, since all the information has been out there for over two weeks,” he says.
The second critical bulleting affects all versions of Microsoft Windows, Office 2007 and 2010, and Lync 2010 and 2013. If successfully exploited, the flaws could result in a remote code execution on affected machines. “Given the critical rating, it wouldn’t surprise me if there’s an added element to this that makes it more dangerous than your standard phishing attack,” says Chris Goettl, product manager at Shavlik. “It’s also possible that Microsoft has seen some attacks in the wild.”
Microsoft Lync is also being patched in a less severe bulletin ranked important. “It's interesting to see two advisories this month updating Lync and related communication software,” says Tyler Reguly, manager of security research at Tripwire. “It's not software that you normally see updates for, so it'll be interesting to see what flaws were discovered with it and why they couldn't be incorporated into a single bulletin.”
Two bulletins this month affect Office, both related to Office 2007 but only one having an impact on Office 2010. “Office 2013 gets a free pass this month,” Reguly says. “Newer software should always see fewer patches. It means that Microsoft Security Development Lifecycle (SDL) is working.”
At this point last year Microsoft had issued 50 security bulletins, 16 of them critical. This year the total number is 35, with 12 ranked critical.