Sophos Cloud Optix
Just a very brief note this month to remind you about Patch Tuesday.
It’s almost as early as it can be, since July started on a Monday, putting Patch Tuesday on 09 July 2013.
With six out of seven of Microsoft’s pre-announced patches deemed critical, and a wide range of Microsoft components affected, you probably need to declare today to be Pre-Patch-Tuesday Monday.
The range and reach of this month’s updates means it would be wise to make sure that you have all your operational ducks in a row before the patches actually come out.
Notable
Most notable amongst this month’s notifications is that even Windows Server Core 2012 is getting critical patches, and will need a reboot.
Server Core installs are often spared from hassle on Patch Tuesdays because they are deliberately stripped-down versions of Windows with a significantly reduced attack surface area.
Importantly, the GUI part of Windows is omitted, so you can’t install software such as Internet Explorer, Adobe Reader, Flash and Microsoft Office, even if you want to. (Even better, no-one else can install it, either.)
The latest and greatest version of Microsoft Lync also gets a critical update, so even if you switched only recently, get ready to patch on Tuesday.
Intriguing
Most intriguing amongst this month’s notifications is an elevation of privilege bug (EoP) in Windows Defender, Microsoft’s basic and now legacy anti-malware tool, on Windows 7.
The EoP doesn’t get a critical rating; it rates only important.
EoPs generally end up rated non-critical because they can’t be directly exploited from outside unless they’re combined with a remote code execution (RCE) vulnerability.
Nevertheless, EoPs are well worth patching because if they are combined with an RCE, they may allow an attacker to convert a modestly dangerous drive-by install with user privileges into a fully-fledged administrator-level system takeover.
Lastly, all officially-acknowledged versions of Internet Explorer will need critical patches, from IE 6 to IE 10.
Get ready!