In a very light set of monthly security bulletins, Microsoft will issue just one that it’s ranking critical and it involves Internet Explorer.
If left unpatched, the browser is subject to attacks that execute malicious code on victim machines, so getting the updates to patch it is important, says Ross Barrett, a security engineer at Rapid7. “This will be the top patching priority for this month,” he says.
+[Also on Network World: Surface Pro 3: A great business desktop and a pretty good laptop, too; Microsoft targets Apple, Samsung with cheaper flagship Lumia]+
In addition to the threat posed by the vulnerabilities that the patches correct, these critical browser updates will be challenging for IT organizations, says Eric Cowperthwaite, vice president of advanced security & strategy, Core Security. Installing the updates requires system restarts and the browser in all its versions is widely distributed among organizations. “We don’t yet know if there are active exploits in the wild, but there may well be. And, even if not, this appears to be something that is likely to have exploits developed in the near future,” Cowperthwaite says.
Vulnerable versions include IE 6, 7, 8, 9, 10, and 11 running on desktop Windows Vista, Windows 7 and Windows 8.1 as well as Windows Server 2003, 2008 and 2012.
The bulletin about the Internet Explorer problems is likely to include a roll-up of fixes for any number of vulnerabilities found over the past month, says Ross Barrett, a security engineer at Rapid7.
The rest of this month’s bulletins are rated important, which means that attacks against these vulnerabilities require some action on the user’s part in order to succeed. Still, one bulleting warns against vulnerabilities that could lead to escalation of privilege on compromised Windows 8 and 8.1 machines and Server 2012 and 2012 RT, says Jon Rudolph, a senior software engineer at Core Security.
A third bulletin addresses flaws in Windows Server 2003, 2008 and 2012 and Windows Vista, 7, 8, and 8.1 that could lead to DDoS attacks against the machines. The final bulletin involves Lync Server 2010 and 2013 and also addresses problems that could lead to DDoS attacks.
Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at email@example.com and follow him on Twitter@Tim_Greene.