Microsoft will release six bulletins next week, two of which are rated as critical and patch flaws in Windows and Internet Explorer.
According to its advance notification, the two critical patches are for remote code execution flaws. The remaining four patches will cover flaws in Windows and Microsoft Server Software, and are all rated as important.
Russ Ernst, director of product management at Lumension, said: “Data centre administrators shouldn’t plan to be away too much next week, since every bulletin impacts nearly every supported Windows Server version. Two of the bulletins even impact Windows Server set to Core mode.
“While the advanced notification system is only a preview of what’s to come, we can speculate the first critical bulletin that impacts IE versions 6-11 is another cumulative update. The second critical bulletin hits just about every version of Windows, from Vista and Server 2008 to 8.1 so it will be important to look into.”
Craig Young, security researcher for Tripwire, said: “Administrators will be happy that the list of affected software this month doesn’t include many of the usual suspects; there’s no SharePoint, .NET, or even Office vulnerabilities.
“Perhaps the most interesting part of this month’s Microsoft Advance Notification is the fact that it was actually emailed to customers in a reversal of the Redmond giant’s earlier announcement that it would stop delivering email notifications in response to the new anti-SPAM laws in Canada.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “The odd one out this month is the Moderate Denial of Service in ‘Microsoft Service Bus for Windows Server’. This seems to be a message queuing library for Windows; it’s part of the Microsoft Web Platform package and is not installed by default with any OS version. That said, if you have this component you will probably care to patch this before script kids start knocking over your site.”
Wolfgang Kandek, CTO of Qualys, said: “Also this month Oracle is publishing its Critical Patch Update (CPU) July 2014. It is expected to come out on July 15 and typically contains fixes for hundreds of vulnerabilities. How applicable the patches are for your organisation depends on your software inventory, but at least the update for Java will be important for most organisations.”
