Microsoft's mega Patch Tuesday marks end of Windows Server 2003 support

Microsoft's July Patch Tuesday bundle today released 14 bulletins, of which four were ranked critical, while also marking the end of support for Windows Server 2003.

A further ten of the patches released today were ranked by Microsoft as "important".

The four critical patches resolved remote code execution (RCE) flaws impacting Windows and Internet Explorer (IE). One of the critical bulletins was a cumulative update for IE, MS15-065, which addressed CVE-2015-2425 uncovered in the recent Hacking Team leak.

Of note, bulletin MS15-077, ranked “important,” resolved a vulnerability in Adobe Type Manager Font Drive that could allow elevation of privilege. The bug was also exposed in the Hacking Team 400GB data dump, in which hackers published the details of exploits the Italian firm sold.

The other nine “important” Microsoft patches addressed vulnerabilities in Microsoft SQL Server, Windows, and Office allowing remote code execution, as well as flaws in Windows allowing elevation of privilege.

Final fixes for Windows Server 2003 were also included in this month's Patch Tuesday roundup.

Nine of the 14 bulletins released today affected Windows Server 2003 - which according to Qualys CTO Wolfgang Kandek meant attackers will continue to find issues with the product at roughly that rate.

“There are only two things to do to avoid that threat, migrate away from Server 2003 or pay Microsoft for the necessary patches through a special support contract,” he said.

Kandek said users should make sure to employ patches released by both Microsoft and Adobe addressing bugs subject to active exploit: CVE-2015-2387 and CVE-2015-2424 fixed by Microsoft, and Flash Player zero-days, CVE-2015-5122 and CVE-2015-5123, fixed in a separate Adobe update.

This article originally appeared at scmagazineus.com