Microsoft releases critical patches, improves IE security
This June Patch Tuesday we have a slightly smaller patch load from Microsoft, taking us back to more historic average releases of eight bulletins. We have just two critical patches to deal with and six important. While this is good news for those that have their sights set on some summer vacation, this release also makes us wonder how many more of these Patch Tuesday cycles will we have?
Before diving into that, let’s take a look at the job at hand this month, starting with Microsoft. MS15-056 is a critical cumulative update for Internet Explorer addressing 24 CVEs. If you’re using IE, patch it now, please. We see a patch every month for this popular browser for a reason. The bad guys love to exploit it along with all of the other popular browsers like Firefox and Chrome, and in too many instances, they are successful. This month, attackers could force a remote code execution and gain the same rights as the affected user.
Second on your list of priorities should be MS15-059. Although rated as important, it impacts all shipping desktop versions of Microsoft Office. This bulletin addresses three vulnerabilities in Office which an attacker can use for remote code execution.
There are other Microsoft bulletins to deal with – including critical MS15-057 that impacts Windows Media Player and grants full user rights to the attacker when a malicious file is played – but you’ll also need to prioritize a vulnerability in Adobe Flash. APSB15-11 is the eighth update of Flash Player this year and updates 13 vulnerabilities that span across Windows and Mac desktops.
Microsoft has announced the release of Windows 10 as July 29, 2015. For a year, this upgrade will be available for free and will continue for the lifetime of any device you install it on – your PC, tablet, or phone. In other words, Windows 10 is reportedly the last splashy OS release we will see.
From there, Microsoft says they will continually update your OS with new features and security updates without the fanfare of a new OS version number, without the costly endeavor of testing code and holding on to it until a pre-selected release date. In time, this should result in a simpler, safer computing experience. Until then, we have to deal with a transition of the massive install base of Windows 7 machines to this new Windows as a service.
So what about Patch Tuesday? The release of Windows 10 will change how you push security updates too, maybe. Microsoft has been clear as mud on this process question, to be honest.
As described in a Microsoft FAQ, licensed Home users will see updates pushed automatically, as they are ready. This process should get the millions of home machines using Windows updated faster, and that’s a good thing, but what about the patches that fail? Are Home users the unfortunate testing ground? Only time will tell. And while enterprise users will have more choice on when to push updates, how that gets done has not yet been precisely defined.
In reviewing this month’s patch load from Microsoft, we see plenty of legacy software in need of updating. Another thing the new Windows Update for Business does not make clear is how will these systems be updated? Will organizations who choose to remain on older systems receive updates on the typical Patch Tuesday cycle? It isn’t clear yet but one thing remains true. If you can update, you should. Remember, Windows Server 2003 reaches end of life next month. Hopefully you are working your migration plan.