June Patch Tuesday--comments from HEAT Software.
Before diving into that, let's take a look at the job at hand this month, starting with Microsoft MS 15-056 is a critical cumulative update for Internet Explorer addressing 24 CVEs. If you're using IE, patch it now, please. We see a patch every month for this popular browser for a reason. The bad guys love to exploit it along with all of the other popular browsers like Firefox and Chrome, and in too many instances, they are successful. This month, attackers could force a remote code execution and gain the same rights as the affected user.
Second on your list of priorities should be MS 15-059. Although rated as important, it impacts all shipping desktop versions of Microsoft Office. This bulletin addresses three vulnerabilities in Office which an attacker can use for remote code execution.
There are other Microsoft bulletins to deal with--including critical MS 15-057 that impacts Windows Media Player and grants full user rights to the attacker when a malicious file is played--but you'll also need to prioritise a vulnerability in Adobe Flash. APSBI5-II is the eighth update of Flash Player this year and updates 13 vulnerabilities that span across Windows and Mac desktops.
Microsoft has announced the release of Windows 10 as July 29, 2015. For a year, this upgrade will be available for free and will continue for the lifetime of any device you install it on--your PC, tablet, or phone. In other words, Windows 10 is reportedly the last splashy OS release we will see. From there, Microsoft says they will continually update your OS with new features and security updates without the fanfare of a new OS version number, without the costly endeavor of testing code and holding on to it until a pre-selected release date. In time, this should result in a simpler, safer computing experience. Until then, we have to deal with a transition of the massive install base of Windows 7 machines to this new Windows as a service.
So what about Patch Tuesday? The release of Windows 10 will change how you push security updates too, maybe. Microsoft has been clear as mud on this process question, to be honest As described in a Microsoft FAQ, licensed Home users will see updates pushed automatically, as they are ready. This process should get the millions of home machines using Windows updated faster, and that's a good thing, but what about the patches that fail? Are Home users the unfortunate testing ground? Only time will tell. And while enterprise users will have more choice on when to push updates, how that gets done has not yet been precisely defined.
In reviewing this month's patch load from Microsoft, we see plenty of legacy software in need of updating. Another thing the new Windows Update for Business does not make clear is how will these systems be updated? Will organizations who choose to remain on older systems receive updates on the typical Patch Tuesday cycle? It isn't clear yet but one thing remains true. If you can update, you should. Remember, Windows Server 2003 reaches end of life next month. Hopefully you are working your migration plan.
Russ Ernst, product management director at HEAT Software (formerly Lumension)
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||infosecurity EUROPE: Exhibitors Papers|
|Publication:||Database and Network Journal|
|Date:||Jun 1, 2015|
|Previous Article:||The keys to preserving information security and risk management.|
|Next Article:||With attacks on the rise, how can SCADA security be improved?|