Video: MS Active Directory and IE fixes top priority, say security firms

Microsoft's June monthly security update will keep IT administrators very busy this week, with 10 updates covering 31 vulnerabilities.

Microsoft's June monthly security update will keep IT administrators very busy this week, with 10 updates covering 31 vulnerabilities.

This is the largest number of vulnerabilities to be covered in a single update since Microsoft began its monthly patch cycle in 2003.

The update is a challenge to IT administrators because in addition to the high number of vulnerabilities, it covers a broad range of products, said Dave Marcus of security firm McAfee.

"Businesses will need a solid risk management strategy to test and prioritise the fixes," he said.

Urgent action required

Most security firms are advising IT administrators to install the updates as soon as possible, but have rated the Active Directory and Internet Explorer patches as the most urgent.

Seventeen of the issues are rated "critical" and affect Office, Print Spooler, Excel, Word, Internet Explorer and Active Directory.

The more severe of the two Active Directory issues can be exploited remotely to gain complete access to a vulnerable computer, security firm Symantec said in a blog posting.

Wolfgang Kandek, CTO at IT risk assessment firm Qualys, said patching Active Directory is one of the most important things for IT administrators to do. "Active Directory is a critical infrastructure for most companies."

In most cases, the remaining "critical" issues are triggered by user interaction, such as visiting a website containing malicious content or opening a malicious file.

Malware infection through legitimate websites remains one of the most popular attack methods, said Symantec's John Harrison.

Patches for Internet Explorer should also be a priority, according to most security firms. Even IE8 released in March was included, although there was only one update compared with seven for IE7.

"Organisations should update to IE8 because this will make them less vulnerable," said Kandek.

Security update

Although Microsoft's advance notification made no mention of PowerPoint fixes for the Mac operating system, it was included in the update. Last month, Microsoft issued fixes for the Windows versions, but said Mac users would have to wait for the patch to be completed.

The update also included a patch for the Internet Information Server (IIS) flaw reported by Microsoft last month, but not included in the advance bulletin.

Security updates from Adobe for its Reader product will add to IT administrators' workloads this week.

VIDEO: Qualys' Wolfgang Kandek and Amol Sarwate discuss the deluge of security updates 

Read more on IT risk management