Back-to-school Patch Tuesday: Critical updates for Internet Explorer, Adobe Reader
Syadmins, brace yourselves
Microsoft is planning a light edition of Patch Tuesday for September with just four bulletins, only one of which covers critical vulnerabilities. But an upcoming Adobe critical update for its Reader software around the same time means sysadmins are still likely to have their hands full next Tuesday.
The sole critical update for MS this month is an Internet Explorer roll up affecting all supported (and likely some unsupported) versions. The other three scheduled bulletins cover an elevation of privilege issue affecting Windows 8/8.1 and Server 2012 & 2012 R2 as well as two potential DDoS triggering bugs affecting Lync Server and Windows/.NET, respectively.
These are "nothing to ignore, but definitely secondary to the IE issue unless it turns out that some or all of these are under active exploitation,” commented Ross Barrett, senior manager of security engineering at Rapid7, the developers of Metasploit Framework penetration testing tool. “Looks like a very light round of Microsoft Patching this month," he added.
Other security experts agree that the Internet Explorer bulletin is very likely to be the highest patching priority in September's Patch batch, which is due to land next Tuesday (9 September). We already know the IE update covers a critical remote code execution (ie malware injection) risk, but details have been held back by Microsoft until the patch is published next Tuesday.
"This IE bulletin marks the eighth Patch Tuesday in a row that includes patches for Internet Explorer. In the past few months we've seen IE bulletins addressing over 25 CVEs each release," said Karl Sigler, threat intelligence manager at infosec vendor Trustwave. "This IE bulletin will be lighter than previous months but it’s likely that several of these CVEs have been already been exploited in the wild or will be weaponised soon."
Microsoft's advance notification bulletin for its September patch batch is here.
In other patching news, Adobe is planning to release an update for Adobe Reader and Acrobat XI (11.0.08) and earlier versions for Windows and Macintosh next Tuesday. These updates address critical vulnerabilities in the much-pwned software applications. Adobe's pre-delivery alert is here. ®