Patch Tuesday: Microsoft has critical fixes for Exchange Server

Businesses will want to jump on patches that fix vulnerabilities to the gamut of Microsoft Exchange Server versions that are flagged in next week's Patch Tuesday alerts.

"This month's remediation is all about the Exchange servers," says Tommy Chin, a technical support engineer at CORE Security. The critical alert affects all supported versions of Exchange Server - Exchange Server 2007 Service Pack 3, Exchange Server 2010 SP 2 and 3, and Exchange Server 2013, cumulative updates 1 and 2.

RELATED:12 free Microsoft Exchange tools every IT admin will love 

TECH DEBATE:Google Gmail vs. hosted Microsoft Exchange 

Chin says Exchange's reliability is generally taken for granted. "However, what if all e-mail communications suddenly became compromised?" he says. "For most organizations, this scenario is simply unacceptable due to the sensitive information contained within today's e-mail conversations."

Ross Barrett, senior manager of security engineering at Rapid7, agrees. "If this is truly a remotely exploitable issue that does not require user interaction, then it's a potentially wormable issue and definitely should be put at the top of the patching priority list," Barrett says.Another critical alert, Bulletin 1, affects current versions of operating systems Windows 8 (and Windows RT) and Windows Server 2012, as well as earlier versions back through Windows XP and Windows Server 2003.

There are no details on what the exact vulnerabilities are but being ranked critical means they could allow code execution even if the user doesn't interact with the attack. Self-propagating malware and code execution without warnings or prompts are exploits that fit this category. Examples include browsing an infected Web page or opening a malicious email.

"To me, Bulletin 1 is most critical," says Ken Pickering, the director of engineering at CORE Security. "The last time I saw an IE Remote Code execution of this caliber, I saw live malware exploiting it not too long after. People are getting good at turning these IE vulnerabilities into web-based attacks."

Bulletin 1 affects Internet Explorer from Version 6 to Version 10 as deployed on all Windows client operating systems from Windows XP to Windows 8 including its ARM version, Windows RT. It also affects Windows Server 2003, 2008, 2008 RR2 and 2012.

Three out of eight bulletins this month are critical, possibly facilitating remote code execution on victim machines. The rest of the bulletins are ranked important, two allowing elevation of privileges by attackers, two threatening denial of service and one that could allow disclosure of information on the attacked machine.

Paul Henry, a security and forensics analyst at Lumension, notes that the bulleting count for this year so far is up seven over last year at this time, but this year so far there are 10 fewer critical ones.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags patchesMicrosoftsecurityWindowssoftwareWide Area Network

More about GoogleLumensionMicrosoftRapid7

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place