The second Tuesday of each month is Microsoft’s Patch Tuesday, and Microsoft offers a heads up the Thursday before. That’s today, and Microsoft's Security Bulletin Advance Notification for June 2013 indicates it will be a laid-back month for IT admins—with one significant exception.
Microsoft has five security bulletins scheduled for next week. It’s the fewest bulletins for a single month so far this year, so IT admins are getting a bit of a break from the normally hectic pace of patch implementation. On top of that, of the five bulletins only one is rated as Critical, while the other four are merely Important.
Paul Henry, Security and Forensic Analyst at Lumension, points out that 2013 is eight bulletins ahead of last year at the halfway point. He also notes, however, that there has been the exact same number of Critical bulletins thus far, with 16.
The biggest priority for June will be Bulletin 1: a cumulative update for Internet Explorer—addressing 19 of the 23 issues fixed by Microsoft for Patch Tuesday.
“Bulletin One is downright scary, a remote code execution on IE on all versions of Windows [running from IE 6 through 10 on various platforms],” says Ken Pickering, development manager of security intelligence for CORE Security. “This one would make it easy to remotely gain access to someone’s machine via a malicious webpage."
Henry disagrees a bit on the overall severity. “Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system.”
Keeping that in mind, though, there is still cause for concern. A well-crafted phishing attack can achieve great success in luring unsuspecting users to help compromise their own systems. Make sure you educate your users about the threat, and remind everyone to think twice (or three times) before clicking suspicious or unknown links.
Bulletin 5 is also interesting. It is a vulnerability in Microsoft Office, but most IT admins probably won’t pay much attention to it—it only affects Office 2003 on Windows systems. What is concerning about Bulletin 5 is that it is a remote code execution vulnerability that also works against Office 2011 for Mac.
Tune in next Tuesday when the security bulletins are officially released for a deeper analysis of the vulnerabilities and priorities for patching.