Don’t waste any time – get that thing rolled out quick because it’s wide-ranging and already being exploited.
Normally companies should proceed at their own pace when deploying Microsoft’s monthly updates, known as Patch Tuesday, since they come out on the second Tuesday of every month.
This month’s batch, though, is pretty hefty in terms of impact and volume, so you may want to make them a priority. This month’s Patch Tuesday consists of seven bulletins addressing a total of 34 vulnerabilities, and half of them are in Internet Explorer. Six of the seven bulletins are critical, a little more than usual, that can give attackers power to execute code on victim machines.
Fortunately, the bugs in Windows and IE require the end user to do something, like use their browser to visit an infected site or click on a link in an instant messenger. “So they all require end-user actions. If you don’t browse or use instant messenger, it won’t affect you. So on servers you can take your time, they are not that urgent,” said Wolfgang Kandek, CTO of the security firm Qualys.
For desktop users, however, these are critical because that’s how most PCs get infected – by user interaction of one form or another. Kandek called attention to two of the Bulletins. Bulletin MS13-055 rounds up 17 known vulnerabilities and exploits in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer.
Kandek said at least one of the vulnerabilities is already being exploited by hackers, so either patch IE or use another browser until you do.
MS13-053 handles two publicly disclosed and six privately reported vulnerabilities in Windows, the most severe of which could allow remote code execution if a user views shared content that embeds TrueType font files.
With so many critical fixes to the OS and browser, Kandek said the desktop users should prioritize rolling out the fixes. “I don’t see why you would extensively need to test it,” he said.
Lost in the hoopla of Patch Tuesday was a trio of important bulletins from Adobe Systems, which issued significant fixes for Flash, Shockwave and ColdFusion.
Also, there will be a Java patch issued by Oracle next week, which appears to be running its own Patch Tuesday cycle, except it’s on the third Tuesday of every month.