Microsoft Black Tuesday: Patch IE Zero Day & Windows Vulnerabilities

Microsoft’s March Patch Day is live, and looks to be by the numbers. As expected, they released five bulletins, including one that contains a fix for a zero day vulnerability in Internet Explorer. Their Patch Day summary highlights five security bulletins that fix 23 vulnerabilities in various Microsoft products, including Internet Explorer (IE), Windows and its various components, such as Silverlight. They rate two of these bulletins as Critical, and the rest as Important.

As I mentioned in my notification post, the most important update this month is the IE cumulative patch. Besides fixing 23 memory corruption flaws, many of which attackers could exploit to execute code, one specifically fixes a critical zero day flaw which attackers have been leveraging in watering hole attacks. Though Microsoft released a Fix-it for this vulnerability a few weeks ago, this update completely corrects the underlying issue. Make sure to install the IE update on all your clients as soon as possible. Hopefully, you already have Automatic Updates set to do it for you. Of course, you should also install the Windows updates too, especially the DirectShow one. If an attacker can trick one of your users into viewing a malicious JPEG image, he could exploit it to gain control of that user’s computer, with their privileges. You don’t want that.

While we are talking about Windows updates, let me take this time to continue to remind you that these updates are among the last that Windows XP will receive. XP users will likely see a few more updates next month, but after than it goes End-of-Life. Hopefully, most of you are saying, “Why do I care? I’ve been using Windows 7 or above for years.” But for the stragglers out there, you might want to consider upgrading to a more recent version of Windows. While I don’t want to come off as promoting Microsofts “upgrade” sales message, I do believe XP will likely pose more risk once the official updates stop. It seems very likely that some cyber attacker (or nation-state groups) out there are sitting on a zero day XP exploit or two; saving them until after Microsoft’s fixes run out. You might want to get away from XP before that happens.

In any case, I’ll share more details about today’s Patch Day bulletins on the blog throughout the day. Meanwhile, check out the March  bulletin summary now, if you’d like an early peek. — Corey Nachreiner, CISSP (@SecAdept).