Microsoft will release eight patches on its next Patch Tuesday, two of which are rated as critical.
Fixing remote code execution flaws in Windows, Explorer, Server Software and Productivity Software, this is the first scheduled release since the final scheduled patches were released a month ago. Last week Microsoft issued an emergency fix for a zero-day flaw in Internet Explorer that covered Windows XP users.
Ross Barrett, senior manager of security engineering at Rapid7, said: “The second patching event of this May is breaking with the recent trend of lighter than average months. The patching priority is definitely the two critical issues, one of which seems to affect numerous components of SharePoint Server.
“This may prove to be a legitimate remotely exploitable issue, and definitely where I would focus my remediation resources first. The omnipresent critical patch in Internet Explorer is a close second in terms of importance, from the advance notice point of view.”
Craig Young, security researcher at Tripwire, said: “It looks like May 2014 is a banner month for Microsoft security patches this year. In addition to the already released IE out of band patch, Microsoft has scheduled eight more bulletins for release next Tuesday. Platforms across the board are affected and many product families have important or critical updates to prevent remote code execution or privilege elevation.
“Affected software includes all supported Windows operating systems; SharePoint server 2007-2013, Office 2007-2013, and IE 6-11. IT teams should be prepared; this month customers running current software releases will probably they need to more patches than usual.”
Russ Ernst, director of product management at Lumension, said: “The busy month comes just one-week after the out-of-band patch for IE, MS14-021, released by Microsoft May 1. Interestingly, a critical fix for IE is first on the advance notification list this month too. The bad guys continue to wage war on what remains one of the most popular browsers so, for organisations that rely on it, IT needs to patch monthly, at a minimum.
“Sharepoint users will want to pay close attention to the second critical bulletin; it impacts 2007, 2010 and 2013 and Microsoft Web Apps, otherwise known as Office Online. The remaining bulletins are rated important and impact a wide-range of software categories.
“Outside of Microsoft, Adobe announced today they will release security updates for Adobe Reader and Adobe Acrobat on Tuesday as well. They have assigned priority ratings of 1 for each of the 4 updates that are in the works.”
