Happy Valentine’s Day and happy Microsoft Patch Day. Microsoft has posted their bulletins for February, so drop those chocolates and start patching.
Microsoft delivered on our expectations and released nine security bulletins today, covering flaws in Windows, Internet Explorer (IE), Office, and the .NET framework. They rate four of the bulletins as Critical.
Microsoft’s updates fix a wide range of security issues, from web browser flaws that could allow attackers to launch drive-by download (DbD) attacks (see this DbD video), to media handling vulnerabilities that could allow movies to install malware. I’d recommend that you apply today’s updates as quickly as you can.
In general, the severity order Microsoft lists in their summary bulletin is good. The only change I might make is to install the IE update first. Right now attackers love to target our web browsers and the third party plug-ins they use. If I were to prioritize all patches, I’d focus first on my browser and Adobe additions, like Flash and Reader. After you’ve installed the IE patch, follow with the Windows updates by severity, and finish with the .NET and Office patches.
As usual, don’t forget to test the updates before deploying them; especially ones you apply to critical production servers.
I’ll post more detailed alerts about these flaws, and how to fix them, shortly. — Corey Nachreiner, CISSP (@SecAdept)