Get ready. Microsoft is unleashing 12 security bulletins next Tuesday to address a whopping 57 separate vulnerabilities.
Andrew Storms, director of security operations for nCircle, explains, “The dirty dozen affects a wide range of operating system versions and includes Exchange Server, a critical business application. Over the past few months Microsoft has released a number of bug fixes for Oracle’s Outside In technology used by Exchange Server, but none of the bugs fixed represented severe threats. Exchange server bugs make a lot of people nervous; let’s hope this month’s Exchange patch is as dull as ditch water.”
According to the Microsoft Advance Notification, five of the 12 security bulletins are rated as Critical, while the remaining seven are Important.
Alex Horan, senior product manager, CORE Security, says, “This month we see some significant vulnerabilities with the potential to create a formidable one-two punch, which could be key to hackers unleashing the most powerful attacks in their arsenals. When these exploits are used in the right combination, the effects can be deadly for system administrators.”
Rapid7’s Senior Manager of Security Engineering, Ross Barrett, tries to find some silver lining, “It’s both good and bad news that the patches are mostly clustered on Windows Operating System, without dipping too much into Office or more esoteric specialty Microsoft products. It’s good because administrators probably don’t have to worry about applying multiple patches for the same advisory to a single host. It’s bad because an organization with even the simplest deployment of Microsoft products will probably be hit by all of these advisories, meaning their desktop and server teams will be extra busy.”
Storms has some concerns about Internet Explorer. “Internet explorer patches are always a top priority and this month we’re going to get two Internet Explorer bulletins. That’s unusual because generally, when Microsoft patches IE, the patch is delivered as a single bulletin. The planned delivery of two separate IE bulletins has my ‘Spidey’ senses on alert. I’m sure other IT security teams are wondering exactly what kind of IE valentine we’re going to get.”
Qualys CTO Wolfgang Kandek points out that Microsoft is not the only vendor issuing patches. “Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild. Update your Flash installations as quickly as possible – Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.”
I hope you didn’t have anything going on for Valentine’s Day, because you might be busy.