Today isn’t just about hearts and flowers — it’s also Patch Tuesday, time for Microsoft to issue its regular roundup of security bulletins and fixes.
Today is a big deal. Yes, it is Valentine’s Day, but that’s not what I’m talking about. It is also the second Tuesday in the month of February which makes it Patch Tuesday. Microsoft has revealed that there are nine new security bulletins slated for today — Happy Valentine’s Day?
Of the nine security bulletins, four are rated as Critical and theremaining five are all Important. Based on the limited informationMicrosoft shares in the Patch Tuesday preview, thesecurity updates impact Windows, Internet Explorer, Microsoft Office,the .NET framework, Silverlight, and Microsoft Server software.
QualysCTO Wolfgang Kandek declaresin a blog post that the Internet Explorer update should geturgent attention. “There is the expected critical update to InternetExplorer which should be highest priority. After all, we saw last monthhow quickly attackers are incorporating browser based attacks intotheir toolkits; an exploit for MS12-004was detected amere 15 days after Patch Tuesday.”
Marcus Carey, a security researcher at Rapid7, agrees thatthe Web browser is a crucial weak point for many consumers andorganizations.
“We’re seeing a great many browser patches from Microsoftthese days because researchers and attackers have realized thatbrowser exploits have the most potential for harm and are currently thebest attack surface. Browser-based attacks will certainly continue tobe an attack vector from here on.”
Media players, browser plug-ins bigtargets
Carey also notes that one of the security bulletins is thethird Critical update impacting .NET framework and Silverlight in justthe past few months. He points out that media players and browserplug-ins are popular attack vectors, so any technology that is capableof exploiting the browser — eitherdirectly or indirectly — is getting increased attention from bothattackers and security researchers.
Nine security bulletins is not quite the avalanche that we sawrepeatedly with record-setting months in 2011, but it is also bigenough to keep IT admins busy. Lumensionsecurity and forensic analyst Paul Henry believes nine is a relativelylight Patch Tuesday, though. “Clearly, the company’s renewed focus ispaying off. Now if folks would just follow through and patch!”
Many of the updates will require a system reboot, so IT adminsshould be prepared to test and deploy the patches at a time thatprovides minimum impact or downtime for users.
Hey Microsoft, if you’re looking for some Valentine’s Day gift ideas,next year I’d prefer some chocolate, or maybe just a nice card.