August Patch Tuesday Fixes 'Critical' IE Flaw

Microsoft's August Patch Tuesday is approaching and once again the company has plans to fix serious security vulnerabilities affecting its Internet Explorer (IE) web browser.

This month's Patch Tuesday includes eight security updates -- that's one more update than last month. However, August's Patch Tuesday includes just three security updates marked "critical," Microsoft's highest security rating. Last month there were seven of these updates.

Two of this month's critical updates are attracting plenty of media attention.

All Versions of Internet Explorer Vulnerable

The first affects every version of Internet Explorer, from the aging (and downright dangerous) Internet Explorer 6 on Windows XP to the new Internet Explorer 10 on Windows 8 and Windows RT.

Not much is known about the IE vulnerability. However, we do know that it could allow a hacker to remotely execute malicious code.

The same is true for the second critical vulnerability. In that case the target is Microsoft Exchange Server, versions 2007, 2010, and 2013.

"Across the board, all supported versions of Microsoft Exchange Server are affected by a critical vulnerability," noted Craig Young, a security researcher at Tripwire. (Source: threatpost.com)

"Exchange servers are invariably connected to the Internet in some form or another so it's going to be urgent to patch this one post-haste."

Which Flaw is the Bigger Concern? Experts Disagree

There's some disagreement among security experts about which of the two vulnerabilities should be considered a priority by IT professionals.

"Nothing trumps an IE update," insisted Andrew Storms, DevOps senior director at CloudPassage. "Browsers are the most targeted applications."

But Ross Barrett, Rapid7's security engineering senior manager, disagrees. "I would consider [the Exchange Server flaw] to be of the greatest concern," Barrett said. (Source: infosecurity-magazine.com)

"It affects all supported versions of Microsoft's Exchange Server and is rated as critical with remote code execution. If this is truly a remotely exploitable issue that does not require user interaction, then it's a potentially wormable issue and definitely should be put at the top of the patching priority list."

Microsoft's Patch Tuesday fixes will be available tomorrow, August 13, 2013.