Microsoft has just provided advance notice of the Operating System and application patches that are scheduled to be released on Tuesday, June 11. The details are available at http://technet.microsoft.com/en-us/security/bulletin/ms13-jun . There are a total of five patches to be released. Only one of which is identified as CRITICAL (and the critical designation is only assigned to workstation operating systems – server operating systems are assigned a MODERATE designation), however it applies to all versions of Internet Explorer that are currently supported. With the exception of bulletin #3, an IMPORTANT designation is assigned to all other patches issued for June.
With regard to bulletin #3, it is assigned a MODERATE designation for all operating systems prior to Windows 8/WinRT and Windows server 2012; but is assigned an IMPORTANT designation for the post Win7/Server 2008 operating systems.
Additionally, with regard to the final patch, designated as bulletin #5, it only applies to Microsoft Office 2003 SP3 and Office for Mac 2011 and is assigned an IMPORTANT security designation.
As is normally the case of late, the vulnerabilities being address with the Internet Explorer patches are likely to be the largest influence with regard to how rapidly the patches are recommended to be applied. Three aspects that factor into the patch recommendation are as follows:
- are the vulnerabilities already publicly known
- are the vulnerabilities likely to be reliably exploited with malicious code
- if reliable malicious code is expected, is it likely to be made available within the next 30 days
Definitive answers to the issues above are not expected to be known before Tuesday, June 11. The AgriLife ISO will make a patch recommendation as additional information is made available.
Update June 11 1:00 p.m.
The Windows operating system and application patches for June have been released. The critical patch for Internet Explorer (MS13-47) actually addresses nineteen privately reported vulnerabilities that could allow for remote code execution if successfully exploited. For approximately eight of the nineteen vulnerabilities, reliable exploit code is expected to be developed within the next 30 days for even the most current versions of Internet Explorer. For older versions of Internet Explorer, reliable exploit code is likely to be developed in the next 30 days for fifteen of the nineteen vulnerabilities.
With the exception of patch http://technet.microsoft.com/en-us/security/bulletin/MS13-051 which applies to MS-Office 2003, the remaining vulnerabilities are not expected to be exploited through remote code execution or elevation of privilege. Patches MS13-048 through MS13-050 address denial of service or information disclosure vulnerabilities. Due to the scope of the exposure for Internet Explorer, the AgriLife ISO recommendation is to patch workstation systems as soon as possible.
Update June 12 7:40 a.m.
Adobe released a patch for Flash on June 11. Details about the patch are available at http://www.adobe.com/support/security/bulletins/apsb13-16.html