The second Tuesday of the month has passed, and that means its time for a little blogging about patches.
And in an odd twist, Microsoft updated their advanced security advisory, released last week, on Monday with details on two more additional bulletins. So, for the month of February, we will be seeing a total of 7 patches being released, with 4 of them rated as Critical.
First up is MS14-010, which provides an update to all version of Internet Explorer. This patch is considered the most crucial to deploy for this month as it effects a large number of users currently utilizing Internet Explorer (any version from IE 6 to IE 11). The vulnerabilities corrected in this update could allow for remote code execution, meaning that an attacker could potentially take over control of an attacked system.
The next two major updates, MS14-011 and MS14-007, are both critical and correct flaws that could allow remote code execution. MS14-011 fixes problems in VBScript, which is a built in scripting language in Windows used primarily is business environments. This patch effects all current versions of Windows, from XP to 8.1 plus all the supported Server versions (2003, 2003 R2, 2008, 2008 R2, 2012, 2012 R2). MS14-007 involves fixes to the way a system presents a website, and only effects Windows 7, 8, and 8.1. Both MS14-011 and MS14-007 require a user to do something, so the risk is slightly lower for these two when compared to MS14-010.
The last critical update, MS14-008, addresses a remote code execution vulnerability in Microsoft Forefront Security for Exchange Server. Most small businesses do not run a local Exchange server, so it is recommended to check with your IT service provider to determine if your systems need this patch applied.
The final three updates are all rated as Important and have various impacts ranging from privilege escalation (making a standard user suddenly have the rights that an administrator would), information disclosure, to denial of service. MS14-009 and MS14-005 (the privilege escalation and information disclosure patches, respectively) apply to all supported versions of Windows, but are only applicable on systems running certain software configurations. MS14-006 only applies to Windows 8, RT, and 2012.
As always, A2Z recommends that each patch be tested on a designated test system prior to deploying to production systems to verify that the patches do not break something really important. If you need assistance or would like additional information on the patches from Microsoft for this month, feel to contact us.
Also, don’t forget to update your Flash Player this month, as detailed in this previous blog post.
Plus, the obligatory Windows-XP-End-of-Life announcement. There are not only two patch Tuesday left before Windows XP and Office 2003 support is discontinued. Users still running XP or Office 2003 are highly encouraged to look at migrating to a newer operating system very very very soon.
For more information on this month’s patches, be sure to check out Microsoft’s Security Bulletin Summary.