Today will be a busy day for IT administrators and certain users, as Microsoft releases their monthly roster of software updates. For this month’s Patch Tuesday, Microsoft is bringing out seven bulletins, six of them rated as “Critical” and with only one receiving an “Important” rating.
Though this month does not have the most security fixes, users must apply these as soon as possible. These critical bulletins all lead to remote code execution, which means that a successful exploitation may allow an attacker to execute a malware onto vulnerable systems. Affected software includes Windows, Silverlight, Office, and Internet Explorer.
The sole “Important” bulletin addresses issues found in Windows Defender that may allow an attacker to gain elevated privileges to an outdated system or server.
This month’s bulletins also include the zero-day flaw reported by Google researcher Tavis Ormandy, which was first reported last May. The said vulnerability stems from Windows Kernel and may lead to malware execution.
This issue of disclosure was also a hot topic these past days, right after Google’s announcement of its new policy regarding zero-day bugs and exposure. The software company suggested that vulnerability information disclosure must occur no more than seven-days after the vendors were notified. However, as our own CTO Raimund Genes argues, that this seven-day timeline is okay, though expecting a security patch within that time frame is unreasonable. The bigger issue that should be addressed is how these information are reported.
Users are advised to apply these security updates ASAP. For Trend Micro users, Deep Security provides solutions for certain vulnerabilities cited in MS13-055.