Critical IE update slated for Patch Tuesday

There are only five security bulletins scheduled for next week, but one is a Critical update for Internet Explorer.

The second Tuesday of each month is Microsoft's Patch Tuesday, and Microsoft offers a heads up the Thursday before. That's today, and Microsoft's Security Bulletin Advance Notification for June 2013 indicates it will be a laid-back month for IT admins--with one significant exception.

Microsoft has five security bulletins scheduled for next week. It's the fewest bulletins for a single month so far this year, so IT admins are getting a bit of a break from the normally hectic pace of patch implementation. On top of that, of the five bulletins only one is rated as Critical, while the other four are merely Important.

Paul Henry, Security and Forensic Analyst at Lumension, points out that 2013 is eight bulletins ahead of last year at the halfway point. He also notes, however, that there has been the exact same number of Critical bulletins thus far, with 16.

The biggest priority for June will be Bulletin 1: a cumulative update for Internet Explorer--addressing 19 of the 23 issues fixed by Microsoft for Patch Tuesday.

"Bulletin One is downright scary, a remote code execution on IE on all versions of Windows [running from IE 6 through 10 on various platforms]," says Ken Pickering, development manager of security intelligence for CORE Security. "This one would make it easy to remotely gain access to someone's machine via a malicious webpage."

Henry disagrees a bit on the overall severity. "Though this may be very concerning at first glance, the bulletin should not cause undue alarm. In order for the vulnerability to be executed, an attacker would have to craft a malicious site and use a phishing attack to lure an unsuspecting user to the site, which would then compromise the system."

Keeping that in mind, though, there is still cause for concern. A well-crafted phishing attack can achieve great success in luring unsuspecting users to help compromise their own systems. Make sure you educate your users about the threat, and remind everyone to think twice (or three times) before clicking suspicious or unknown links.

Bulletin 5 is also interesting. It is a vulnerability in Microsoft Office, but most IT admins probably won't pay much attention to it--it only affects Office 2003 on Windows systems. What is concerning about Bulletin 5 is that it is a remote code execution vulnerability that also works against Office 2011 for Mac.

Tune in next Tuesday when the security bulletins are officially released for a deeper analysis of the vulnerabilities and priorities for patching.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityphishingInternet Explorerbusiness security

More about LumensionMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tony Bradley

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts