It’s Patch Tuesday again. This month is busier than most because on top of Microsoft’s security bulletins, Adobe is also releasing updates for Reader and Acrobat.
Let’s start with Microsoft. There are nine new security bulletins for August, which resolve 26 different vulnerabilities. There are five rated as Critical—including a patch for Internet Explorer for the third consecutive month--and four Important.
Tyler Reguly, director of security research and development for nCircle, says, “The most interesting thing this month is the release of patches for two wormable issues, MS12-053 and MS12-054. These only affect the oldest-supported Windows platforms and really speaks well of the improvements Microsoft has made to their security efforts over the years.”
Andrew Storms, director of security operations for nCircle agrees with Reguly, stressing the potential impact of MS12-053. “This one has the potential for serious impact because it is network aware and no authentication is required. If you have XP on your network, then get the mitigations for this one installed ASAP.”
This is particularly relevant considering the imminent release of Windows 8. Microsoft and security experts have been stressing for years that older Windows platforms and software may still work in the technical sense, but they simply aren’t built to fight off today’s threats. Businesses and consumers alike should seriously consider taking advantage of the $40 upgrade to Windows 8.
In his Laws of Vulnerabilities blog, Qualys CTO Wolfgang Kandek describes MS12-060. “MS12-060 fixes a vulnerability that is already being exploited in the wild. The vulnerability is located in the Windows Common Control and can be triggered through Office documents and through malicious web pages. The currently known attacks have been targeting Word and WordPad through RTF files attached to e-mail messages.”
Storms points out the silver lining for MS12-060. “There is some good news this month--that the attack vector associated with the MSCOMCTL patch is an RTF file--and the victim has to explicitly open the file to allow the exploit. If you can’t get this patch rolled out or mitigation applied quickly, you should remind users about the dangers of opening attachments from unknown persons.”
As if the Microsoft security bulletins aren’t enough to keep IT busy for a while, Adobe released new versions of Adobe Acrobat, Reader, Shockwave, and Flash to patch security holes in those products as well.
Check out the details of the Microsoft and Adobe security bulletins to figure out which ones apply to you, and prioritize the patches that are most critical or have the greatest potential to impact your PCs.