It’s that time of the month again, with Microsoft Patch Tuesday just 24 hours away.
In point form, August 2013 brings you:
- Eight bulletins
- Three critical due to potential remote code execution
- Critical #1: All Internet Explorer versions from 6 to 10
- Critical #2: Exchange Server versions 2007, 2010 and 2013
- Critical #3: Windows itself, but only XP and Server 2003
- Patches for Server Core, but none critical
- Reboot required
It’s hard to say just how severe (or how widely exploited, if at all) any of the critical vulnerabilities are, since Microsoft plays its cards close to its chest until the patches actually ship.
And even though some of the bulletins are listed with a Restart Requirement of “maybe,” you should assume you’ll be rebooting every Windows box within your remit.
That’s because all your systems will either have Internet Explorer on them, or be Server Core installs.
Both of those require a reboot.
As usual, SophosLabs will be publishing its own vulnerability assessments once Microsoft has officially issued its updates. (Redmond always gets to go first. Understandably, that’s the way it is.)
Although Naked Security generally recommends getting a move on with patching, lest you get sucked into a Change Control Resistance Vortex, SophosLabs gives you a Threat Level assessment for each patch.
All other things being equal, if you have to delay one or more of the eight Bulletins, the Threat Level helps you choose by assessing the likelihood that each security hole will be actively exploited.
6 comments on “Heads up for Patch Tuesday: 24 hours, 8 bulletins, 3 critical, everything needs a reboot”
I have Windows 7 and never actually USE Internet Explorer. Chrome is my default browser. Is there any concern for someone in my situation?
Problem is that "Internet Explorer" means more that just IEXPLORE.EXE.
It means the whole IE-related HTML/JS rendering subsytem.
Chances are you *do* use it, or at least some of its components, rather a lot.
Thanks for the information!
It is not that difficult to add malicious code to a file to open IE then do something worse.
My rule is that if it is installed on a machine and needs a security update, then update.
I have Windows 8 & Chrome as default browser… Concerns?
Yes (see my reply to @Robyn).
You almost certainly have system files installed, and perhaps regularly in use, that fall into the bucket called "IE" when security updates roll around.
Don't skip the update 🙂