Today is Patch Tuesday. I don't know if it was the focus on Apple's WWDC announcements and the gaming news coming out of E3, the attention I have been devoting to the 30 Days With Ubuntu Linux project, or the headline-stealing LulzSec hacks, but Patch Tuesday caught me by surprise this month. Ironically, as low-key as Patch Tuesday seems this month, it is actually one of the biggest in recent months when it comes to critical updates.
Microsoft unleashed 16 security bulletins for June, nine of which are ranked as Critical by Microsoft. Even more concerning than the Critical designation is the fact that seven of the nine Critical bulletins also have an exploitability index of one--indicating that an exploit is very likely in the next 30 days.
Paul Henry, security and forensics analyst at Lumension, explains, "With 9 critical bulletins and the vast majority directly requiring a reboot, this marks the beginning of a long summer for IT professionals with no room for slowing down."
Obviously, consumers and businesses should apply all applicable patches and updates as soon possible, especially the ones rated Critical, but I spoke with Jerry Bryant, group manager, response communications for Microsoft Trustworthy Computing, who specified four security bulletins in particular that should get priority attention. MS11-042, MS11-043, MS11-050, and MS11-052 should come first for most customers.
Andrew Storms, director of security operations for nCircle, points out, "As usual, Internet Explorer is at the top of the critical list. This is the first IE9 patch since it was released in April, and it has to be uncomfortable for Microsoft to have to patch their brand new browser so quickly."
Tyler Reguly, also from nCircle, says, "Another Patch Tuesday, another dose of the same. Most people probably have the patch drill down to a science at this point: patch Internet Explorer first, your client software second, and obscure software third."
While the exploitability index and guidance from Microsoft are helpful, it is up to IT admins to assess the vulnerabilities and the risk posed by each to their unique environment and prioritize the patches accordingly. Jason Miller, manager of research and development at Vmware--which recently acquired Shavlik Technologies, says, "With such a large number of bulletins and affected products this month, it is important to review each bulletin thoroughly and plan your patch attack this month. Every machine, whether server or workstation, will be affected this month."
It is worth noting once again that newer operating systems and applications are at less risk than older ones. If organizations are weighing the decision to upgrade operating systems, Web browsers, or productivity suites, they should certainly factor in the increased cost of the time and effort required to support and protect legacy software. Lumension's Henry stresses, "It is absolutely imperative that people download a newer version of IE in order to take advantage of the more secure codebase."