Administrators will have another busy month as they implement Patch Tuesday updates, and they'll notice some familiar...
updates along the way.
The updates in August's Patch Tuesday address 23 total vulnerabilities and all three critical bulletins address remote code execution vulnerabilities.
One of the most critical updates comes for three vulnerabilities in Exchange Server's document viewing features. An attacker can gain control of the system if a user looks at a malicious file in Outlook Web App (OWA) hosted on Exchange 2007, Exchange 2010 or Exchange 2013.
Microsoft uses a third-party library from Oracle Corp., Outside In, for rendering documents inside of OWA. It's a familiar exploit, as Microsoft has updated the libraries Oracle provides in response to vulnerabilities addressed in February's Patch Tuesday as well as in August and December of last year.
The vulnerabilities are rated low by Oracle, but because the libraries are used on Exchange itself and not a user's machine, it can be detrimental.
"It's important, because the compromise is on the server side, [an attacker] could take over that machine that runs your OWA," said Amol Sarwate, director of Redwood Shores, Calif.-based IT security firm Qualys Inc.'s vulnerability labs.
Disabling Microsoft’s WebReady feature is the most efficient fix within OWA, Sarwate said.
Internet Explorer receives critical fixes
Multiple versions of Internet Explorer will receive updates this month. The updates address 11 vulnerabilities if users visit malicious webpages, across all versions of Windows and Internet Explorer. Every workstation should be patched immediately, said Wolfgang Kandek, CTO of Qualys.
Another critical update admins should pay attention to addresses a vulnerability in the Unicode Scripts Processor found on Windows XP and Windows Server 2003. The vulnerability can be exploited if users open a page or document that supports OpenType fonts. It serves as another reminder that Windows XP won't receive any updates beginning in April of 2014.
The five important bulletins included in this month's Patch Tuesday updates address elevation of privilege, information disclosure and denial of service vulnerabilities. These fixes apply to multiple versions of Windows Server and address vulnerabilities in Windows Kernel, ICMP, Windows NAT driver and Active Directory Federation Services (AD FS).
In the case of AD FS, the vulnerability deals with a denial of service attack that could be launched by exposing the AD FS user account, said Kandek.
The complete list of this month's fixes can be found here.
The updates in August's Patch Tuesday bring this year's total up to 66, an increase from 59 updates at the same time last year.