Advance notice of July Microsoft patches – to be release on July 9.

Microsoft released their advance notice of the patches that are scheduled to be released for July 2013. There are a total of seven patches, six of which are identified as CRITICAL.  In a departure from normal monthly patches,  July patches designated as CRITICAL apply to both workstation AND server versions of all currently shipping Microsoft Operating Systems.

A patch was also released for all versions of Internet Explorer. However, it is only assigned a CRITICAL severity when installed on workstations.  As is normally the case, the patch for Internet Explorer is designated as MODERATE for Server Operating System installations. In addition to critical patches for all workstation OSs, patches designated as CRITICAL are scheduled to be released for the following products:

  • Silverlight 5
  • Lync 2010 (Attendee, 32 and 64 bit)
  • Lync 2013 basic (32 and 64 bit)
  • Lync 2013 (32 and 64 bit)

One patch (known as bulletin #7) designated as IMPORTANT applies to Windows Defender for Windows 7 and also Defender for Windows Server 2008.

Note regarding Bulletin #3 – The patch is designated as CRITICAL for all server and workstation operating systems but it also applies to Office 2003 sp3, Office 2007 sp3, Office 2010 sp1 (32 and 64 bit) in addition to Visual Studio .NET 2003 sp1. However, the patch is assigned a severity of important for Office and Visual Studio .NET installations.

As of this time, no other vendors have announced releases of patches for any third party products (such as Adobe Reader, Flash or Oracle Java)

 Update July 9 3:30 p.m.

In short, it’s going to be a big month for patching. As of July 9, Adobe released patches for Flash on Windows (including IE10 on Windows 8), Macintosh and Linux systems.  The updated version for Windows and Mac systems is 11.8.800.94.  Flash updates were also released for Google Chrome and also for Android systems. The version for the Chrome browser for Windows, Mac or Linux systems is 11.8.800.97.  Details are available at http://www.adobe.com/support/security/bulletins/apsb13-17.html.   Adobe has also released updates for Shockwave and also a security hotfix for Cold Fusion on JRun versions 9.0, 9.0.1, 9.0.2 and also Cold Fusion version 10.0. The Hotfix for Cold Fusion version 10 is considered critical while Cold Fusion on JRun vulnerabilities is considered important.  Additional details are available at http://www.adobe.com/support/security/bulletins/apsb13-19.html

 

Details on the Microsoft patches for July are still in the process of being released, but it’s safe to say that all workstations and servers should be patched as soon as possible. The main reason for this is two-fold. First with regard to workstations, (see the following URL – http://technet.microsoft.com/en-us/security/bulletin/ms13-055 ) there are a total of seventeen CRITICAL vulnerabilities (for which reliable exploit code is expected to be developed/released within the next 30days) being addressed in Internet Explorer that could allow remote code execution and second, even server environments for which a server core only installation is performed (that being installs that have excluded the Windows Graphical User Interface) on the system, have critical vulnerabilities for the following products: Windows Server 2008, 2008R2 and also Windows server 2012. All of these vulnerabilities will be addressed with the installation of the July patches.

 

Further, critical vulnerabilities exist for Windows Server installations in more than one module. There are critical vulnerabilities (again, even for server core installations) in .NET framework 3.51, .NET framework 4 and also .NET framework 4.5 for Windows Kernel Mode Drivers  (https://technet.microsoft.com/en-us/security/bulletin/ms13-052* ) and also in Windows GDI + (https://technet.microsoft.com/en-us/security/bulletin/ms13-054 ).

 

For Windows server installations that are more than just server core only the list of critical vulnerabilities is even more extensive and includes:

 

 

 

 

 

*Note1: Bulletin MS13-052 is also assigned a critical designation for the following installations of Silverlight: Silverlight 5 on Mac; Silverlight 5 Developer Runtime on Mac; Silverlight 5 (32 and 64 bit) when installed on Windows clients; Silverlight 5 Developer Runtime when installed on Windows clients; Silverlight 5 (32 and 64 bit) when installed on Windows Servers and Silverlight 5 Developer Runtime when installed on all supported releases of Windows Servers.

 

Note2: Bulletin MS13-054 is assigned a critical designation for the following installations: Lync 2010 (32 and 64 bit), Lync 2010 Attendee (user and admin install level), Lync 2013 (32 bit basic and also non-basic), and Lync 2013 (64 bit basic and also non basic).  But bulletin MS13-054 is assigned an important designation for the following installations: Visual Studio .NET 2003 SP1, Office 2003 SP3, Office 2007 SP3, Office 2010 SP1 (32 and 64 bit installations).

 

**Note3: Only bulletin  https://technet.microsoft.com/en-us/security/bulletin/ms13-053 applies to Itanium installations. Bulletins MS13-056 and MS13-057 are not applicable.

 

So July is not a month to be treated trivially for patch management. It’s one of the biggest I have seen in a while.

 

 

Tags:

Categories: Uncategorized