Heads up for Patch Tuesday: 24 hours, 8 bulletins, 3 critical, everything needs a reboot

Filed Under: Featured, Microsoft, Security threats, Vulnerability

It's that time of the month again, with Microsoft Patch Tuesday just 24 hours away.

In point form, August 2013 brings you:

  • Eight bulletins
  • Three critical due to potential remote code execution
  • Critical #1: All Internet Explorer versions from 6 to 10
  • Critical #2: Exchange Server versions 2007, 2010 and 2013
  • Critical #3: Windows itself, but only XP and Server 2003
  • Patches for Server Core, but none critical
  • Reboot required

It's hard to say just how severe (or how widely exploited, if at all) any of the critical vulnerabilities are, since Microsoft plays its cards close to its chest until the patches actually ship.

And even though some of the bulletins are listed with a Restart Requirement of "maybe," you should assume you'll be rebooting every Windows box within your remit.

That's because all your systems will either have Internet Explorer on them, or be Server Core installs.

Both of those require a reboot.

As usual, SophosLabs will be publishing its own vulnerability assessments once Microsoft has officially issued its updates. (Redmond always gets to go first. Understandably, that's the way it is.)

Although Naked Security generally recommends getting a move on with patching, lest you get sucked into a Change Control Resistance Vortex, SophosLabs gives you a Threat Level assessment for each patch.

All other things being equal, if you have to delay one or more of the eight Bulletins, the Threat Level helps you choose by assessing the likelihood that each security hole will be actively exploited.

, , , , , , , ,

You might like

6 Responses to Heads up for Patch Tuesday: 24 hours, 8 bulletins, 3 critical, everything needs a reboot

  1. Robyn · 253 days ago

    I have Windows 7 and never actually USE Internet Explorer. Chrome is my default browser. Is there any concern for someone in my situation?

    • Paul Ducklin · 253 days ago

      Problem is that "Internet Explorer" means more that just IEXPLORE.EXE.

      It means the whole IE-related HTML/JS rendering subsytem.

      Chances are you *do* use it, or at least some of its components, rather a lot.

  2. Spryte · 253 days ago

    It is not that difficult to add malicious code to a file to open IE then do something worse.

    My rule is that if it is installed on a machine and needs a security update, then update.

  3. Michael · 253 days ago

    I have Windows 8 & Chrome as default browser... Concerns?

    • Paul Ducklin · 253 days ago

      Yes (see my reply to @Robyn).

      You almost certainly have system files installed, and perhaps regularly in use, that fall into the bucket called "IE" when security updates roll around.

      Don't skip the update :-)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog