Hefty Microsoft August Patch Delivers 13 Security Fixes
The August patch is a bulky one as Microsoft released 13 fixes today. The two "critical," nine "important" and two "moderate" items are targeted at 22 vulnerabilities.
"This month definitely has all of the usual vulnerability suspects: IE, Office, DLL preloading and several local privilege escalation issues. It looks like the bugs we know so well have all come out to play again this month," said Tyler Reguly, technical manager of security research and development at nCircle.
Remote code execution exploit considerations affect four items. Rounding out the slate are three information disclosure, three denial-of-service and three elevation-of-privilege bulletins this month.
The first critical item is a fix that affects every supported Windows OS. It is a cumulative update for all versions of Internet Explorer.
The update patches five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer, according to Microsoft. Security experts say that this item should be job No. 1 for all Windows IT pros this month.
"The exploitability index for this issue is '1,' indicating that we will see a reliable exploit soon," said Wolfgang Kandek, CTO at Qualys.
Meanwhile, the second (and last) critical bulletin for August is also a Windows fix for Windows DNS, which affects only Windows Server 2003 and 2008.
The important items in the patch affect Windows Server 2003 and 2008 on the server side, and Windows 7, Windows XP and Vista on the client OS side.
Programs affected by important items include Microsoft Visio, Remote Access Service NDISTAPI Driver and Remote Desktop Web Access. Left unpatched, some of these vulnerabilities can lead to cross-site scripting issues.
Also included are programs and components such as Windows Client/Server Run-time Subsystem, the TCP/IP Stack, Remote Desktop Protocol, ASP.NET Chart controls, Report Viewer and the Windows kernel (a relative mainstay in terms of the frequency of patching).
Aside from the few critical items, the August update, according to IT security analysts and researchers, is decidedly low-profile with the rare distinction of operational and access control risks such as denial-of-service and elevation-of-privilege flaws.
"We haven't seen nearly this many low-profile patches -- ones that primarily result in information-disclosure or cause denial-of-service conditions -- in quite some time," said Joshua Talbot, security intelligence manager at Symantec Security Response. "Half of all the vulnerabilities patched this month are of that type, which is rare."
Moderate Items and Other Updates
The first moderate item touches the .NET Framework for every supported Windows OS. The last moderate item is an Windows OS-level fix that affects Vista, Windows 7 and Windows Server 2008.
All bulletins in the August patch may require a restart.
With this month's slate, Microsoft also released a Security Advisory updating ActiveX Kill Bits at the Windows OS level.
"In the past, we have seen these patches included in the normal Microsoft Security bulletin release on Patch Tuesday," said Jason Miller, manager of research and development at VMware "It appears Microsoft is moving these types of patches to Security Advisories."
As usual, Windows IT admins can browse this link to get up to speed on releases from the Microsoft Windows Update Web site.
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.