Far-reaching fixes for Patch Tuesday - Server Core 2012, IE 10, Lync 2013 all in firing line

Filed Under: Featured, Microsoft, Security threats

Just a very brief note this month to remind you about Patch Tuesday.

It's almost as early as it can be, since July started on a Monday, putting Patch Tuesday on 09 July 2013.

With six out of seven of Microsoft's pre-announced patches deemed critical, and a wide range of Microsoft components affected, you probably need to declare today to be Pre-Patch-Tuesday Monday.

The range and reach of this month's updates means it would be wise to make sure that you have all your operational ducks in a row before the patches actually come out.

Notable

Most notable amongst this month's notifications is that even Windows Server Core 2012 is getting critical patches, and will need a reboot.

Server Core installs are often spared from hassle on Patch Tuesdays because they are deliberately stripped-down versions of Windows with a significantly reduced attack surface area.

Importantly, the GUI part of Windows is omitted, so you can't install software such as Internet Explorer, Adobe Reader, Flash and Microsoft Office, even if you want to. (Even better, no-one else can install it, either.)

The latest and greatest version of Microsoft Lync also gets a critical update, so even if you switched only recently, get ready to patch on Tuesday.

Intriguing

Most intriguing amongst this month's notifications is an elevation of privilege bug (EoP) in Windows Defender, Microsoft's basic and now legacy anti-malware tool, on Windows 7.

The EoP doesn't get a critical rating; it rates only important.

EoPs generally end up rated non-critical because they can't be directly exploited from outside unless they're combined with a remote code execution (RCE) vulnerability.

Nevertheless, EoPs are well worth patching because if they are combined with an RCE, they may allow an attacker to convert a modestly dangerous drive-by install with user privileges into a fully-fledged administrator-level system takeover.

Lastly, all officially-acknowledged versions of Internet Explorer will need critical patches, from IE 6 to IE 10.

Get ready!

, , , , , , , ,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog