If you use the Windows operating system, or just about any of the core products offered by Microsoft, it's time to install some crucial updates. Today, Microsoft pushed out seven new security bulletins--along with their accompanying patches--as well as a new policy that affects both third-party apps and those developed by Microsoft itself.
Of the seven security bulletins, six of them are rated Critical, while the remaining one is ranked as Important. The Critical security bulletins affect Windows, Internet Explorer, Microsoft Office, Silverlight, and more. The Important security bulletin addresses a privilege elevation flaw in the Windows Defender security software, so that definitely shouldn't be ignored.
Ross Barrett, senior manager of security engineering at Rapid7, stressed this isn't your typical Patch Tuesday announcement. "Basically everything in the core Microsoft world is affected by one or more of these; every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET. It's going to be a busy time for security teams everywhere."
Tyler Reguly, technical manager of security research and development at Tripwire, said it can be difficult to prioritize patch deployment when almost all of them are Critical. "Luckily, there's safety in the known, so customers should patch Internet Explorer first, a common theme for Microsoft patch drops."
That means start with MS13-055--the ever-popular cumulative patch update for the Internet Explorer web browser. Reguly feels that MS13-053 should be next in line for attention after MS13-055 because it fixes a vulnerability that is already being exploited in the wild.
Qualys CTO Wolfgang Kandek agrees that MS13-053 and MS13-055 are the top priorities, but in his mind the urgency is flip-flopped. In a blog post, Kandek believes that MS13-053 is the most crucial because it affects all versions of the Windows OS, and addresses vulnerabilities that are being actively exploited. Kandek warns, "The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker."
Developers--including Microsoft--will have only 180 days to address critical vulnerabilities.
The other big news from Microsoft is the unveiling of a new policy that places a countdown clock on dealing with vulnerabilities. Craig Young, Tripwire security researcher, explained, "Under the new policy, any app in any of the four [Microsoft] app stores will be given 180 days to resolve reported code execution bugs. This policy applies to 3rd-party developers as well as Microsoft's own applications and is a great addition to Microsoft's existing policy of scanning and reviewing app submissions."
Sign up for CIO Asia eNewsletters.