Critical Exchange Fix in Last Patch Tuesday Release of Year

In its last Patch Tuesday of the year, Microsoft pushed out seven security bulletins, including one affecting Exchange server.

The “critical” bulletin concerning Exchange affects versions 2007 SP3, 2010 SP1 and 2010 SP2.

Critical updates that Microsoft recommends be applied immediately, address vulnerabilities which, if exploited, could allow the execution of code without user interaction. Such exploits could be launched by solo propagating malware such as computer worms, or occur in scenarios where code is executed without any warning or prompts.

The Exchange server update in Bulletin 4, which may require a restart, should get the most attention, Wolfgang Kandek, CTO of Qualys, of Redwood City, Calif., told Moriah Sargent writing for TechTarget‘s SearchSecurity website. If the update can’t be applied immediately, patching teams should implement a short-term fix, he recommended.

Critical updates in Bulletin 1, which requires a restart, affect Internet Explorer 9 for Windows Vista, and Windows 7 and Internet Explorer 10 for Windows 8 and for Windows RT.

Although Internet Explorer 10 is being roped in with critical updates to previous versions of the software, it contains features that make it more secure than previous releases of the browser. For example, it has an enhanced protection mode that make sure that the software has read/write access only when it’s necessary and runs each browser tab in a sandbox to limit its ability to make changes to the system it’s operating on. It also helps curb code-injection attacks by randomizing the location of all modules loaded into memory by the program.

Bulletin 2, which requires a restart, contains critical updates for Windows XP SP3, Windows XP Professional x64 SP2, Windows Server 2003 SP2, Windows Server x64 SP2, Windows Server 2003 SP2 for  Itanium-based systems, Windows Vista SP2 and Vista x64 SP2, Windows Server 2008 SP2, Windows 7 and Windows 7 SP1, Windows Server 2008 R2, Windows 8, Windows Server 2012 and Windows RT.

Although Windows 8 and Windows RT are only a little over a month old, this is the second time they’ve received critical updates.

Despite the security updates for Windows 8, it’s still considered Microsoft’s most secure operating system to date. It supports a new firmware interface for PCs, which replaces the traditional BIOS, called the Unified Extensible Firmware Interface (UEFI).  That new firmware interface includes a feature called Secured Boot, which security experts predict will make the operating system resistant to low-level malware-like root kits.

Bulletin 3, which may require a restart, contains critical fixes for several versions of Microsoft Word — 2003 SP3, 2007 SP2, 2007 SP3 and 2010 32-and 64-bit versions.

It’s unusual for Microsoft to categorize Office vulnerabilities as critical because typically a user must do something for the vulnerability to be exploited. It’s being surmised that the flaw this fix is addressing has to do with the display of Word files in Outlook’s preview pane. If an infected Word file were displayed in the pane, an exploit could be launched without a user having any interaction with the file.

Bulletin 5, which requires a restart, contains critical updates for Windows XP SP3 and XP Professional x64 SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, Windows 7 32-and 64-bit versions and 32-bit SP1, Windows Server 2008 R2 and R2 SP1and a server core installations of Windows Server 2008and 2008 R2.

Bulletins 6 and 7, which both require restarts, do not have any critical updates.

Written by John P Mello Jr

John Mello is a freelance writer who has written about business and technical subjects for more than 25 years. He is frequent contributor to the ECT News Network and his work has appeared in a number of periodicals, including Byte magazine, PC World, Computerworld, CIO magazine and the Boston Globe

Leave A Reply