Microsoft is set to release "critical" bulletins impacting Internet Explorer and Windows next week as part of Patch Tuesday.
All totaled, Microsoft will release nine security bulletins, only two of which are "critical" and deal with remote code execution issues. The seven other bulletins are rated "important" and address vulnerabilities in Microsoft Office, Windows Defender, Microsoft Server Software and Windows. All but one of those seven bulletins deals with privilege-escalation issues, while the remaining bulletin addresses a denial-of-service vulnerability.
"As we enter into our first patch of Q2, it's worthwhile to look at the numbers," said Paul Henry, security and forensic analyst at Lumension, who observed that there has been an average of nine bulletins per month this year. That figure compares with the 28 bulletins issued between January and April in 2012.
"Though the overall number is up from 2012, the number of average 'critical' vulnerabilities is holding steady at about three, while 'important' vulnerabilities make up the difference averaging four in 2012," he added. "With the number of 'important' bulletins increasing, but 'critical' holding steady, we can infer that Microsoft gets better every year at finding the low-risk, low-impact issues and getting them fixed in a timely manner. This is good news."
Several security experts said that bulletin one, a "critical" bulletin impacting Internet Explorer, should be the first priority for most organizations.
"It is rated 'critical' and allows remote code execution through today's most common attack vector: one of your users browsing to a malicious Website," blogged Qualys CTO Wolfgang Kandek, who called attention to the fact that the bulletin affects all versions of Internet Explorer, including IE10. "Bulletin 2 is the second vulnerability, rated 'critical,' and affects the Windows Operating System, except the newest versions, Windows 8, Server 2012 and Windows RT (the tablet version)."
Among the bulletins rated "important," bulletin seven, which deals with the escalation of privileges in Windows Defender running on Windows 8 and Windows RT, should be the next priority, Henry recommended.
"Windows Defender is an important security component for the new operating systems, so it's a little concerning to see it impacted here, even if only at an 'important' rather than 'critical' level," he said. "If you're running either of those systems, I would patch this 'important' bulletin first."
Microsoft's priority ratings are a good starting place for most organizations when it comes to patch management, but in the end, it really comes down to prioritizing patches according to what is most critical in a particular organization's infrastructure, said Andrew Storms, director of security operations at nCircle.
"For example, if your company relies heavily on SharePoint, you'll probably want to carefully consider the prioritization of a SharePoint patch, no matter what priority Microsoft assigns," he said. "The ANS is really just designed to give companies a heads-up about what's coming. IT security teams have some sense of what to expect, but they have to wait for next week to determine priorities that make sense for their businesses."
The security updates are slated to be released Tuesday, April 9.