Microsoft says you can expect seven security updates tomorrow -- four of which will address critical vulnerabilities in Windows, IE, Silverlight and Office.
Here's a more in-depth preview from some of the industry's better-known patch management experts:
Paul Henry, security and forensic analyst, Lumension:
Bulletin 1 is likely your top priority, affecting all versions of IE across all versions of Windows. What's particularly concerning to me is that this is a remote code execution issue that critically affects the latest version of IE (IE 10) and in the two newest versions of Windows: Windows 8 and Windows RT. Fortunately, this issue has no known attacks in the wild. However, you should still plan to patch this immediately.
After Bulletin 1, the rest of the patches should be prioritized based on what you’re using. Bulletin 2 will likely have more of an impact on consumers than business users, as it only affects the Microsoft Silverlight plug-in. As a reminder, you should keep plug-ins as up to date as possible and avoid introducing them into your computing environment if you can, as they add another threat vector and are frequently an easy target for the bad guys.
Bulletin 3 on the other hand, will likely impact business users much more strongly than consumers, since it is a remote code execution issue for Microsoft Visio Viewer. I never like to see RCE issues, so if this is a program you’re using, patch this quickly.
Bulletin 4 is an elevation of privilege issue with SharePoint. We’ve seen a few of these over the last several months. This one in particular could allow an attacker to elevate from an anonymous user to ownership of the SharePoint site, which could be very damaging. Fortunately, this is not under active attack. However, I would rank this as your second priority if you’re using SharePoint.
Bulletins 5 and 6 are both information disclosure issues, which are typically less serious than an elevation of privilege or remote code execution issue. Interestingly, Bulletin 6 is actually an Office for Mac issue, affecting Microsoft Office 2008 on the Mac platform. If this were exploited, at attacker could determine if an email account exists or if a particular email has been read. This could be used in supplement to a phishing attack. If you are a Mac user, don’t forget to patch this one.
Bulletin 7 is an elevation of privilege issue affecting all operating systems. We typically don’t prioritize “important” issues, but I would rank this as your top priority “important” issue this month, because of its far-reaching effect on all current Windows platforms.
Java Continues to be a Problem
Java has been a problem for quite some time now and is continuing to rear its ugly head. More vulnerabilities are out in the wild and Oracle has its hands full keeping the platform patched and ready to go. If you haven’t already, please update to the latest version of Java immediately and uninstall all older versions. If you aren’t using Java, uninstall it or disable it. This will be one of the best ways to protect yourself as we continue to wrestle with a more long-term solution to the Java problem.
Wolfgang Kandek, Qualys CTO:
Bulletin 1 will be on the top of our list next week. It fixes critical vulnerabilities that could be used for machine takeover in all versions of Internet Explorer from 6 to 10, on all platforms including Windows 8 and Windows RT. Bulletin 2 addresses critical vulnerabilities in Microsoft Silverlight, both on Windows and Mac OS X, and is widely installed at least on end-user workstations to run media applications, for example Netflix. Bulletin 3 is a vulnerability in Visio and the Microsoft Office Filter Pack. It is puzzling to see such a high rating for this software that typically requires opening of an infected file in order for the attack to work. It will be interesting to see the attack vector for this vulnerability that warrants the “critical” rating. The last critical bulletin is for Sharepoint server. The three remaining bulletins are all rated “important” and apply to OneNote, Office 2010 for Mac and Windows itself.
Alex Horan, senior product manager, CORE Security:
Preventing future drive-by style attacks and protecting end-users appear to be the theme of this month’s Patch Tuesday. Bulletin number one represents the significance of this update as the Remote Code Execution can be used to target and exploit end-users across all versions of Internet Explorer on Windows desktops. My concern in reviewing these updates isn’t so much centered around the critical nature of the vulnerability, but rather the number of end-user patches that are required to shore them up. These patches can be a hassle for users to deploy and have the potential to create a long enough delay where hackers can take advantage.