Ross Barrett, senior manager of security engineering at Rapid7
It will be very interesting to see if Microsoft is able to react rapidly enough to patch the kernel vulnerability recently disclosed by Google’s Tavis Ormandy. Ormandy has obviously had negative experiences in the past when disclosing to Microsoft, which might not reflect the current culture in Redmond with regard to disclosure.
That said, Microsoft is notoriously slow to patch disclosed bugs, often taking years to get to items if they are not seeing active exploitation. Conversely, Microsoft does respond to negative press, therefore, full disclosure has historically been effective in terms of eliciting a timely patch.
In fairness to Ormandy, I want to re-iterate that his publication of exploit code was in response to a 3rd party publication of exploit code for the same vulnerability.
This issue may be addressed by “Bulletin 4” in this month’s advisories, which roughly fits the profile of Ormandy’s vulnerability. However, there has been a condition that fits that profile, more or less, every month for the past year.
It’s going to be a lighter than average month over all, with only 5 advisories. The sole critical patch is in IE affecting all versions – this is definitely the patching priority.
The next top issue would be the remote code execution in Office. Since this is listed as only “important,” there are likely significant hurdles to exploitation.
Lamar Bailey, director of security research and development at Tripwire
The Microsoft MSRC team must be on vacation because we are only getting five bulletins this month.
We have the omni-present critical IE bulletin remote code execution. This month it effects every version of IE from 6-10, so it automatically goes to the top of the ‘patch immediately’ list.
There are three Windows bulletins marked ‘important’ and they include information disclosure, denial of service, and an elevation of privilege. Together these bugs hit everything from XP to Windows 8 including the Windows Server operating systems.
The final bulletin in Microsoft Office is interesting – it’s only marked ‘important’; but it’s also subject to remote code execution. This bug probably isn’t remotely exploitable, it probably has to do with parsing a document type. This will be one to watch on Tuesday.
Andrew Storms, director of security operations at Tripwire
IT admins are going to breathe a big sigh of relief because we’re going to see a really light month from Microsoft – we’re only going to see five bulletins and only one is critical. This is an excellent way to start the summer.
The critical bulletin is for Internet Explorer and it affects all versions of IE, so we don’t need to wait until Tuesday to know what’s going to be top priority this month.