February 12, 2013, 3:05 PM — System administrators overseeing Microsoft Exchange deployments should take a close look at Microsoft's latest round of security patches. In addition to covering Windows and Internet Explorer, Microsoft's latest monthly batch of patches covers the widely used Exchange Server, both the Exchange Server 2007 and Exchange Server 2010 editions.
"Microsoft delivered a monster sized patch this month ... It's enough to make your head spin," wrote Andrew Storms, director of security operations for security firm nCircle, in an email.
Overall, Microsoft has issued 12 security updates, covering 57 vulnerabilities, one of the largest sets of security updates the company has ever released.
Microsoft tagged five of the 12 updates as critical, and labelled the remaining seven as important.
NCircle advises that organizations apply the two critical Internet Explorer patches first. "Both of these remote execution bugs are serious security risks, so patch all of them and patch them fast," Storms wrote. The two critical patches cover versions 6 through 10 of the browser.
Windows, specifically Windows XP Service Pack 3 (SP3) and Windows Vista, has two critical updates, and Microsoft Exchange is the focus of the fifth critical update.
While Windows and Explorer are updated pretty much every month, the appearance of an Exchange vulnerability is somewhat more rare. Microsoft bulletin MS13-012 explains the Exchange vulnerability. Attackers could compromise a deployment of Microsoft Exchange by having a user of Outlook Web Access click on a maliciously crafted attachment. The vulnerability actually stems from a library supplied by Oracle, called Oracle Outside In, that converts files in various formats so they can be viewed in the browser. Clicking on the attachment could trigger embedded code to execute on the server.
Microsoft routinely releases security patches for its software on the second Tuesday of each month. The predictability of patch Tuesday, as it is often called, allows administrators to set aside time to update their systems. As with any updates to critical IT systems, administrators are encouraged to apply the updates in a test environment to check for unanticipated interactions with hardware or other software. All of the updates in this month's batch may require restarting the system.
The security updates will be available at the Microsoft Download Center, through WSUS (Windows Server Update Services), and, for consumers, through the Windows Update process.