Advance notice of patches to be released by Microsoft for June 12

Microsoft has just sent their advance notice of the patches that are scheduled to be released on June 12, 2012.  There are a total of 7 patches to be released for June 2012. Three of the patches are designated as CRITICAL and the remaining four patches are designated as IMPORTANT. Exceptions are noted where applicable depending on operating system version.

The CRITICAL patch bulletins #1-3 apply to the following Windows Operating Systems, Web browsers and Office Products:

Bulletin #1 – CRITICAL

Workstation Operating Systems

  • Windows 7* – CRITICAL for 32 and 64 bit installations of Service Pack 1 only (base version is MODERATE severity)
  • Windows Vista* – MODERATE
  • Windows XP* – MODERATE

*NOTE: For Bulletin #1, the following workstation versions are assigned a severity of MODERATE: Windows 7 base version, Windows Vista SP2 (32 and 64 bit), Windows XP SP3 (32bit) and Windows XP SP2 (64bit).

Server Operating Systems*

Windows Server 2008R2 base and SP1 (64 bit and Itanium)

  • Windows Server 2008 SP2 (32, 64 bit and Itanium)
  • Windows Server 2003 SP2 (32, 64 bit and Itanium)

*NOTE: For Server core installations of Windows Server 2008R2 base and SP1 (64 bit); and 2008 SP2 (32 and 64 bit), bulletin #1 is assigned a severity of CRITICAL

 Bulletin #2 – CRITICAL

Workstation Operating Systems

  • Windows 7- Internet Explorer version 8-9
  • Windows Vista -Internet Explorer version 7-9
  • Windows XP -Internet Explorer version 6-8

 Server Operating Systems

  • Windows Server 2008R2 – Internet Explorer version 8-9* – MODERATE
  • Windows Server 2008 – Internet Explorer version 7-9* – MODERATE
  • Windows Server 2003 – Internet Explorer version 6-8* – MODERATE

*NOTE: For Bulletin #2, the following Server operating systems are assigned as severity of MODERATE: Windows Server 2008R2, Windows Server 2008 and Windows Server 2003.

NOTE2: For Server Core only installations of Windows Server 2008 and 2008R2, bulletin #2 is not applicable.

Bulletin #3 – CRITICAL

Workstation Operating Systems

  • Window 7 base and SP1 (32 and 64 bit)
  • Windows Vista SP2 (32 and 64 bit)
  • Windows XP SP3 (32 bit)
  • Windows XP SP2 (64 bit)

 Server Operating Systems

  • Windows Server 2008R2* base and SP1 (64 bit and Itanium)
  • Windows Server 2008 SP2 (32, 64 bit and Itanium)
  • Windows Server 2003 SP2 (32, 64 bit and Itanium)

*NOTE: Only Server Core only installations of Windows Server 2008R2 are assigned a critical severity for bulletin #3. Server core only installations of Windows Server 2008 are not applicable for bulletin #3.

 

Bulletin #4 – IMPORTANT

Microsoft Office Suites and Software

  • Office 2003 SP3
  • Office 2007 SP2 and SP3
  • Visual Basic for Applications
  • Visual Basic for Applications SDK

NOTE: Bulletin #4 is not applicable for the following Microsoft Office Suites and Software: Office 2010 base and SP1 (both 32 and 64 bit versions)

Bulletin #5 – IMPORTANT

Microsoft Enterprise Resource Planning (ERP) software

  • Microsoft Dynamics AX 2012

 Bulletin #6 – IMPORTANT

Workstation Operating Systems

  • Windows 7 base and SP1 (32 and 64 bit versions)
  • Windows Vista SP2 (32 and 64 bit versions)
  • Windows XP SP3 (32 bit)
  • Windows XP SP2 (64 bit)

Server Operating Systems

  • Windows Server 2008R2 base and SP1 (64 bit and Itanium)*
  • Windows Server 2008 SP2 (32, 64 bit and Itanium)*
  • Windows Server 2003 SP2 (32, 64 bit and Itanium)

*Note: For Bulletin #6, both full and server core only installations are assigned a severity of IMPORTANT for Windows Server 2008R2 and 2008.

Bulletin #7 – IMPORTANT

Workstation Operating Systems*

  • Windows 7 base and SP1 (64 bit only)
  • Windows Vista – NOT APPLICABLE
  • Windows XP SP3 (32 bit only)

*NOTE: Bulletin #7 does not apply to the following Workstation Operating Systems: Windows 7 32 bit, Windows Vista SP2 (32 or 64 bit), or Windows XP SP2 (64 bit).

 

Server Operating Systems

  • Windows Server 2008R2 base and SP1 64 bit only (Itanium not applicable)
  • Windows Server 2008R2 base and SP1 64 bit only – server core only installation
  • Windows Server 2003 SP2 32 bit only – (64 bit and Itanium not applicable)

As no information is available with regard to if these vulnerabilities have been publicly disclosed, no recommendation can be provided with regard to the urgency of the installation of the June patches. Based on the information that has been released, it would appear that workstations are potentially the most vulnerable and should be patched as soon as possible. Pending additional information with regards to bulletins #1 and #3, and the patches applicability to Microsoft Server Operating System installations, it would appear that the application of patches to Server Operating Systems COULD possibly be deferred until a later time.

Additional information will be provided on June 12 following the release of the patches.

The Microsoft announcement is available at – http://technet.microsoft.com/en-us/security/bulletin/ms12-jun

Update June 14

Other vendors didn’t want Microsoft to be the only one to ride the patch bandwagon for June.  Not only did Adobe chime in with updates to Flash and AIR, but Oracle also issued updates for Java and MySQL (exploit for the MySQL vulnerability is already in the wild) and Apple (yes- APPLE) updated their java for OS-X almost in real time with the Oracle Java update.

I am providing links for all the updated products below.  In short, with the breadth of all the patches and specifically the scope of the Microsoft patches for Internet Explorer (one of which addresses a publicly disclosed vulnerability – that has been reported as already having been exploited), I would suggest making Wednesday, June 13 (or the next available opportunity for downtime for server systems), a patch everything day.

Oracle

  • MySQL  - current versions are: 5.1.63, 5.5.24 and 5.6.6

http://bugs.mysql.com/bug.php?id=64884

  •  Java – current Java Runtime Environment (JRE) versions are: 7.5, 6.33 and 5.35

http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

Adobe

  • Flash – current version 11.3.300.257

http://www.adobe.com/support/security/bulletins/apsb12-14.html

  • Air – current version 3.3.0.3610

http://www.adobe.com/support/security/bulletins/apsb12-14.html

Apple for OS X workstation and server versions 10.6.8, and 10.7.4 (LION)

  • Java – current version 1.6.0_33

http://support.apple.com/kb/HT5319

 

Tags:

Categories: Uncategorized