If you use the Windows operating system, or just about any of the core products offered by Microsoft, it's time to install some crucial updates. Today, Microsoft pushed out seven new security bulletins—along with their accompanying patches—as well as a new policy that affects both third-party apps and those developed by Microsoft itself.
Of the seven security bulletins, six of them are rated Critical, while the remaining one is ranked as Important. The Critical security bulletins affect Windows, Internet Explorer, Microsoft Office, Silverlight, and more. The Important security bulletin addresses a privilege elevation flaw in the Windows Defender security software, so that definitely shouldn’t be ignored.
Ross Barrett, senior manager of security engineering at Rapid7, stressed this isn't your typical Patch Tuesday announcement. “Basically everything in the core Microsoft world is affected by one or more of these; every supported OS, every version of MS Office, Lync, Silverlight, Visual Studio and .NET. It’s going to be a busy time for security teams everywhere.”
Tyler Reguly, technical manager of security research and development at Tripwire, said it can be difficult to prioritize patch deployment when almost all of them are Critical. “Luckily, there's safety in the known, so customers should patch Internet Explorer first, a common theme for Microsoft patch drops.”
That means start with MS13-055—the ever-popular cumulative patch update for the Internet Explorer web browser. Reguly feels that MS13-053 should be next in line for attention after MS13-055 because it fixes a vulnerability that is already being exploited in the wild.
Qualys CTO Wolfgang Kandek agrees that MS13-053 and MS13-055 are the top priorities, but in his mind the urgency is flip-flopped. In a blog post, Kandek believes that MS13-053 is the most crucial because it affects all versions of the Windows OS, and addresses vulnerabilities that are being actively exploited. Kandek warns, “The most likely attack vector is through end users browsing a malicious web page or opening an infected document, which results in Remote Code Execution that gives control of the affected machine to the attacker.”
The other big news from Microsoft is the unveiling of a new policy that places a countdown clock on dealing with vulnerabilities. Craig Young, Tripwire security researcher, explained, “Under the new policy, any app in any of the four [Microsoft] app stores will be given 180 days to resolve reported code execution bugs. This policy applies to 3rd-party developers as well as Microsoft’s own applications and is a great addition to Microsoft’s existing policy of scanning and reviewing app submissions.”
This new policy from Microsoft is significant for businesses that rely on Microsoft platforms and devices. Six months is still a long time for a vulnerability to be in place—especially Critical or Important vulnerabilities that can potentially be exploited to execute malicious code remotely—but the policy shows Microsoft's continued commitment to security. The policy applies to all apps available through the Windows Store, Windows Phone Store, Office Store, or Azure Marketplace."
The policy does not, however, apply to vulnerabilities that are being actively exploited in the wild. Flaws that pose an imminent or ongoing threat are handled with greater urgency. According to a blog post from Microsoft, "In those cases, we’ll work with the developer to have an update available as soon as possible and may remove the app from the store earlier."
If you have Automatic Updates enabled, sit back and relax, but plan on your system rebooting at some point to finish applying all of the necessary patches. If you don’t use Automatic Updates, get cracking! You’ve got a lot of Critical patches to install.