The long, hot summer is technically over this month, although here in Texas our daily high temperatures are still in the upper 90s. Still, that’s cooler than it was in July and August. The swallows that nested under our eaves have left on their annual journey to their winter home in South America, school is back in session, and the holiday season is right around the corner. All I want from Santa is a month free of security vulnerabilities.
That’s a gift none of us will likely get. However, after last month’s nine updates, several of which caused problems and had to be recalled and re-issued, many IT pros will be breathing a sigh of relief when they hear that Microsoft is releasing only four security bulletins for September’s Patch Tuesday, and only one of these is rated critical.
As usual, that critical update addresses a remote code execution vulnerability and it’s yet another web browser update. The critical rating is for client operating systems, while it’s only classified as a moderate threat on servers, and of course server core installations, which lack a browser, are not affected at all. All supported versions of Internet Explorer are impacted (versions 6 through 11), running on all versions of Windows except the server cores.
Bulletins 2 and 4 both address denial of service vulnerabilities. Bulletin 2 affects Windows and the .NET Framework. All supported versions of Windows are affected, with the exception of the server core installation of Windows Server 2008 for 32- and 64-bit systems. Server core installations of Server 2008 R2, 2012 and 2012 R2, however, are affected. Bulletin 4 pertains to vulnerabilities in Microsoft Lync Server 2010 and 2013.
Finally, bulletin 3 is about an elevation of privilege issue. It affects only the latest versions of Windows: Windows 8 and 8.1, RT and RT 8.1, and Server 2012 and 2012 R2. This includes the server core installation of the latter. Older versions of Windows are not affected.
The IE update is obviously deserving of the most immediate attention, due to its severity rating and the widespread nature of impact. We don’t know yet whether there are active exploits already being carried out, but we do know that the web browser is a favorite target of attackers. Practically every computer in most organizations (server core installations excepted) will have to be patched, so even with just four updates to deal with this time, admins in large organizations are going to have their hands full.
We’ll have the details for you about all of these patches shortly after they’re released next Tuesday, and we’ll all be hoping not to be bringing you any follow-up stories this time about blue screens or other problems resulting from the patches.