Microsoft patched a number of vulnerabilities this month in its Internet Explorer and Exchange Server products. Of the nine patch bulletins it issued, five were rated "critical."
August is the third month straight that a patch has been issued for a vulnerability that affects Internet Explorer (IE). The often-targeted browser received a cumulative update that fixes four flaws. The patch doesn't allow for elevation of privilege, so users with low access may not be affected as much by the vulnerability as those with high access.
The vulnerabilities affect every version of IE, and Microsoft patched a vulnerability with JScript, which is rated "Important." The vulnerability could allow remote code execution if a user visits a malicious website.
Admins who manage Exchange servers should also be on the offensive, as a critical vulnerability was found that could allow for remote code execution, which was the subject of another bulletin. The vulnerability, which lies in WebReady Document Viewing, can be exploited if a user views a malicious file in Outlook Web App (OWA).
According to Microsoft, the source of the vulnerability was Oracle Corp.'s Outside In libraries, on which WebReady Document Viewing is based. "Microsoft has to be extremely worried about it," said Marc Maiffret, chief technology officer at Carlsbad, Calif.-based IT security company BeyondTrust Software Inc., referring to Microsoft's use of open source libraries like Outside In.
It could be "the first of more to come," he said. The Exchange patch is the server's first critical patch since February 2009, when Microsoft patched a flaw in Exchange's handling of Rich Text Format files.
Remote Desktop Protocol (RDP) also received a critical patch, which fixed a flaw in Windows XP SP3. This continues a string of months where Microsoft has released updates addressing issues in RDP. This one might have been uncovered because Microsoft does a security audit following a critical fix, Maiffret said.
Another point of emphasis that Windows admins should be focusing on, Maiffret said, is a vulnerability that affects Microsoft Common Controls, which has a footprint in a number of products, including Microsoft Office, Microsoft SQL Server, Microsoft server software and Microsoft developer tools. It's a critical vulnerability and should be patched quickly.
In total, there were nine bulletins for the month of August, which has been on the high-end so far this year. More information about this month's Patch Tuesday can found on Microsoft's bulletin page.