Microsoft will release four bulletins next week, three of which will be rated as important.
With updates for Microsoft Windows, Internet Explorer, .NET Framework and Lync, this is the lightest patch Tuesday since January. Karl Sigler, threat intelligence manager at Trustwave, highlighted the first bulletin, which patches a remote code execution flaw, as being the highest priority to patch.
“This Internet Explorer bulletin marks the eighth patch Tuesday in a row that includes patches for Internet Explorer,” he said. “In the past few months we’ve seen IE bulletins addressing over 25 CVEs each release. This IE bulletin will be lighter than previous months, but it’s likely that several of these CVEs have been already been exploited in the wild or will be weaponised soon.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “Of the three non-critical things this month, two are denial of service issues affecting Lync and Windows/.NET. The other is an elevation of privilege issue affecting Windows 8/8.1 and Server 2012 & 2012 R2. Nothing to ignore, but definitely secondary to the IE issue unless it turns out that some or all of these are under active exploitation.”
Russ Ernst, director of product management at Lumension, said: “The few number of patches expected out next week doesn’t mean you can take a pass on patching this month however. The critical class patch is for at least one remote code execution vulnerability in IE – likely another cumulative update for the browser. It would be strange not to have one and kudos to the Microsoft team for staying on top of the bad guys’ seemingly first choice for exploitation.
“Pay attention to bulletin 3 this month; it’s for an elevation of privilege in Windows 8, 8.1, Server 2012 and RT. Bulletin 2 addresses a possible DDoS attack on the .NET framework in Windows Server 2003, 2008 and 2012 as well as Windows Vista, 7, 8 and 8.1. The final bulletin is a possible denial of service attack on versions 2010 and 2013 of Microsoft Lync. “