Advance notice of August Microsoft patches – to be released on August 14

Microsoft has just sent their advance notice of the patches that are scheduled to be released on August 14, 2012.  There are a total of 9 patches to be released for August 2012. Five of the patches are designated as CRITICAL and the remaining four patches are designated as IMPORTANT. Exceptions are noted where applicable depending on operating system version.

The CRITICAL patch bulletins #1-5 apply to the following Windows Operating Systems, Web browsers and Office Products:

 

Bulletin #1 – CRITICAL

Remote Code Execution vulnerability – OS restart required

Internet Explorer versions 6-9 for the following operating systems

Workstation Operating Systems

  • Windows 7 base and SP1 (32 and 64 bit) – Internet Explorer versions 8-9
  • Windows Vista SP2 (32 and 64 bit) – Internet Explorer versions 7-9
  • Windows XP-SP3 – Internet Explorer versions 6-8
  • Windows XP-SP2 (64 bit) – Internet Explorer versions 6-8

 

Server Operating Systems*

  • Windows Server 2008-R2 base and SP1 (64 bit and Itanium – Internet Explorer versions 8-9
  • Windows Server 2008-SP2 (32, 64 bit and Itanium) – Internet Explorer versions 7-9
  • Windows Server 2003-SP2 (32, 64 bit and Itanium) – Internet Explorer versions 6-8

*Note – for Bulletin #1, all server operating systems are assigned a severity of MODERATE

Bulletin #2 – CRITICAL

Remote Code Execution vulnerability – OS restart required

Workstation Operating Systems

  • Windows XP-SP3 only

Server Operating Systems

  • N/A

 

Bulletin #3 – CRITICAL

Remote Code Execution vulnerability – OS restart required

Workstation Operating Systems

  • Window 7 base and SP1 (32 and 64 bit) – MODERATE
  • Windows Vista SP2 (32 and 64 bit)- IMPORTANT
  • Windows XP SP3 (32 bit) – CRITICAL
  • Windows XP SP2 (64 bit) – CRITICAL

Server Operating Systems

  • Windows Server 2008R2 base and SP1 (64 bit and Itanium) – MODERATE
  • Windows Server 2008 SP2 (32, 64 bit and Itanium) – MODERATE
  • Windows Server 2003 SP2 (32, 64 bit and Itanium) – CRITICAL

 

Bulletin #4 – CRITICAL (unless otherwise noted, the critical designation applies to all products)

Remote Code Execution vulnerability – may require restart

Microsoft Office Suites and Software

  • Office 2003 SP3
  • Office 2003 Web Components SP3
  • Office 2007 SP2 and SP3
  • Office 2010 SP1 (32 bit only)*

*Note- Bulletin #4 does not apply to 64 bit versions of Office 2010-SP1

 

Microsoft Server Software

  • SQL Server 2004 SP4
  • SQL Analysis Services Service SP4
  • SQL Server 2005 Express Edition with Analysis Services Service SP4
  • SQL Server 2005 SP4 (32, 64 bit and Itanium)
  • SQL Server 2008 SP2 (32, 64 bit and Itanium)
  • SQL Server 2008 SP3 (32, 64 bit and Itanium)
  • SQL Server 2009R2 base, SP1 and SP2 (32, 64 bit and Itanium)

 

Microsoft Office Web Components

  • Office Web Components 2003 Service SP3

Microsoft Commerce Server

  • Commerce Server 2002 SP4
  • Commerce Server 2007 SP2
  • Commerce Server 2009
  • Commerce Server 2009R2

Host Integration Server

  • Microsoft Host Integration Server 2004 SP1

Developer Tools and Software

  • Visual FoxPro 8.0 base and SP1
  • Visual FoxPro 9.0 base and SP2
  • Visual Basic 6.0 Runtime

 

Bulletin #5 – CRITICAL

Remote Code Execution

Workstation Operating Systems

N/A

Server Operating Systems

  • Microsoft Exchange Server 2007 SP3
  • Microsoft Exchange Server 2010 SP1 and SP2

 

Bulletin #6 – IMPORTANT

Elevation of Privilege – OS restart required

Workstation Operating Systems

  • Windows 7 base and SP1 (32 and 64 bit versions)
  • Windows Vista SP2 (32 and 64 bit versions)
  • Windows XP SP3 (32 bit)
  • Windows XP SP2 (64 bit)

Server Operating Systems

  • Windows Server 2008R2 base and SP1 (64 bit and Itanium)
  • Windows Server 2008 SP2 (32, 64 bit and Itanium)
  • Windows Server 2003 SP2 (32, 64 bit and Itanium)

 

 

Bulletin #7 – IMPORTANT

Remote Code Execution vulnerability – OS restart may be required

Workstation Operating Systems

  • Windows 7 base and SP1 (32 and 64 bit versions)
  • Windows Vista SP2 (64 bit only)*
  • Windows XP SP2 (64 bit only)*

*Note – Bulletin #7 is not applicable for 32 bit installations of Windows XP and Vista

 Server Operating Systems (for server operating systems, bulletin #7 is assigned a severity of LOW)

  • Windows Server 2008R2 base and SP1 (64 bit and Itanium)
  • Windows Server 2008 SP2 (64 bit only)*
  • Windows Server 2003 SP2 (64 bit only)*

*Note – Bulletin #7 is not applicable for 32 bit and Itanium installations of Windows Server 2003 or Windows Server 2008

 

 

Bulletin #8 – IMPORTANT

Remote Code Execution vulnerability – OS restart maybe required

Microsoft Office software

  • Office 2007 SP2 and SP3
  • Office 2010 SP1 (32 and 64 bit versions)

 

Bulletin #9 – IMPORTANT

Remote Code Execution vulnerability – OS restart maybe required

Microsoft Office Software

  • Visio 2010 SP1 (32 and 64 bit versions)
  • Visio Viewer 2010 SP1 (32 and 64 bit versions)

 

As no information is available with regard to if these vulnerabilities have been publicly disclosed, no recommendation can be provided with regard to the urgency of the installation of the July patches.

Additional information will be provided on August 14 following the release of the patches.

The Microsoft announcement is available at – http://technet.microsoft.com/en-us/security/bulletin/ms12-aug

Update August 14 1 p.m.

Microsoft has provided additional details on what components are being patched in the August updates.

With the exception of MS12-58 – http://technet.microsoft.com/en-us/security/bulletin/ms12-058 , all patches released for August had not been publicly disclosed prior to August 14.  For that reason, the AgriLife ISO patch recommendation for August 2012, IS NOT that an urgent or rapid patch deployment process be utilized for workstations.

Similarly, while patch MS12-58 has been publicly disclosed prior to August 14, when the exposure was first identified (approximately July 25), Microsoft provided a workaround process that reduced the exposure of Exchange Server deployments to the vulnerability. The workaround suggested that Exchange System Administrator disable the WebReady Document Viewing feature provided by Exchange. The vulnerability was specific to Oracle Outside In for Outlook Web Access.  As long as the workaround has been implemented, the exposure for Server deployments of Exchange is reduced.

With regard to the application of the workstation patches, as four CRITICAL vulnerabilities are present in all current versions of Windows workstation Operating Systems (http://technet.microsoft.com/en-us/security/bulletin/ms12-052 ) for web browsers (Internet Explorer 6-9), even privately reported vulnerabilities can present an exposure to workstations after the patches have been reverse engineered and exploit code is developed and released.  For that reason, it is still recommended that workstation users patch systems as soon as possible.  Historically, where exploit code can’t be prevented via the use of security features built into newer versions of Microsoft Operating Systems (such as Data Execution Prevention –DEP and or Address Space Layout Randomization – ASLR), reliable exploit code can be developed and deployed in as little as thirty days.  For that reason, it is always recommended that the patches be applied to workstations within 2 weeks where possible.

I also wish to add that patches were released for Adobe Reader, Acrobat and Flash on Tuesday, August 14.

 

All users of Reader/Acrobat X, should get the updated version automatically. Otherwise, it can be downloaded from the following links

Reader/Acrobat

Windows – http://www.adobe.com/support/downloads/detail.jsp?ftpID=5440

Macintosh – http://www.adobe.com/support/downloads/detail.jsp?ftpID=5442

Flash

http://get.adobe.com/flashplayer/

 

 

 

Tags:

Categories: Uncategorized