How to Prioritize Microsoft Patch Tuesday
Patch Tuesday is upon us once again. Following a very light Patch Tuesday in January which left a number of exposed zero-day vulnerabilities unpatched, Microsoft is bouncing back with 12 security bulletins for February.
Such a high volume of patches--addressing 22 separate vulnerabilities--poses a challenge for IT admins. Rather than simply applying the updates in numerical order, IT admins need to understand the risk posed to their unique environments by the various flaws, and prioritize the updates accordingly to prevent the most probable attacks, and protect the most critical systems.
"It's great to see so many vulnerabilities getting fixed, but months like this can be challenging for IT managers," said Joshua Talbot, security intelligence manager, Symantec Security Response. "Considering Adobe is also releasing a security update today and a major Java release is expected from Oracle in the coming weeks, February is going to be busy. The key will be prioritizing. Patch all the ‘critical' vulnerabilities first, and then move on from there."
So, where should you begin? Here's what you need to know about the February security bulletins.
Andrew Storms, Director of Security Operations for nCircle, explains, "The Internet Explorer patch (MS11-003) should be at the top of everyone's list today because it includes a fix for the zero-day bug that has caused Microsoft quite a bit of angst since it became public in December."
I spoke with Jerry Bryant, group manager of response communications for Microsoft Trustworthy Computing. Bryant explained that Microsoft monitored exploits closely for this flaw, but that none of the attempts at attacking it were very successful so it did not warrant an out-of-band update.
Next, IT admins should take a look at MS11-006, which is another Critical security bulletin addressing a vulnerability in the Windows Shell graphics processor. The vulnerability could allow remote code execution if a user views a specially crafted thumbnail image.
The third priority is the remaining Critical security bulletin--MS11-007. Qualys CTO Wolfgang Kandek describes the issue in a blog post. "MS11-007 is the third critical vulnerability in this month's lineup and addresses a flaw in the OpenType library. Since OpenType is not used in Internet Explorer, this important attack vector is closed off, forcing more complicated delivery schemes to be used--via zipped folders for example, similar to this attack on MS11-006."
Finally, the biggest news from Microsoft today might not even be about Patch Tuesday. Microsoft also announced that it will now automatically push out an update affecting the behavior of AutoRun in Windows. The update has been available for quite a while, but prior to today it was an optional download.
Tyler Reguly, Technical Manager of Security Resrach and Development for nCircle, commented, "Beyond the vulnerabilities, I think the delivery of the disabled auto-run for thumb drives is a huge increase in security for users. Malware commonly spreads via auto-run, and lately we've seen malware ship on a large number of consumer products, so this added protection can only be good for the end user. I'm glad to see that Microsoft is pushing this non-security update out to all consumers."