I’m sure you’re used to the Microsoft Patch drill by now, so let’s jump right in…
According to their advanced notification post, Microsoft plans to release five security bulletins next Tuesday, which is a rather small number compared to Patch Days of recent past. Their notice warns that the bulletins will include security updates for Windows, Office, and Internet Explorer (IE), and will fix a total of 23 vulnerabilities. The IE patch alone fixes 19 of those 23 issues, and it’s the only update Microsoft rates as Critical (the rest are rated Important).
Based on past experience, I’d bet that the majority of the IE fixes correct memory related vulnerabilities that attackers could leverage in drive-by download attacks.So when Patch Day comes around next week, I recommend you get your IT staff to put precedence on the IE update, then take care of the other four.
As an aside, there is no word whether or not Microsoft’s upcoming Windows updates will fix the zero day kernel-mode driver vulnerability that I mentioned the Google researcher disclosed last week. I’ll let you know once I know this flaw is patched and I’ll share more details about Patch Day next Tuesday. — Corey Nachreiner, CISSP (@SecAdept)