Is it really Patch Tuesday time again already?
After the past few months with a high number of patches, March is relatively quiet, with just seven patches – but four of those are critical. Or as the Sophos Naked Security Blog stated it, “drop-everything-and-fix-this-now” critical. The blog also stated this truism:
On the surface of it, March doesn't look half as gnarly as the monster-sized 57 updates that Microsoft dumped on our doorsteps in February. But numbers don't tell the whole story. For every corporation, every patch brings the possibility of conflicts.
Perhaps not surprisingly, one of those critical patches involves IE – and experts are advising that this patch be addressed first. The folks at Trustwave SpiderLabs told me the following in an email:
Bulletin One is Remote Code Execution (RCE), is rated as critical and impacts just about every version of Windows from XP SP3 on up and Internet Explorer 6 through 10. My guess is this will probably be a use after free vulnerability, we’ve seen a lot of those lately, they impact a lot of stuff and often result in in RCE.
However, this patch warning may be incomplete. Ross Barrett, security manager of security engineering at Rapid7, told me that, in his opinion, it should include IE 10 for Windows 7, unless the fix came when IE10 for Win7 was released recently. In any case, Barrett agrees that this patch needs to be taken care of immediately, no matter what version of IE you are using.
Why is it so important to deal with patches, especially critical patches, as soon as they come out? It isn’t just a matter of protecting the network, but it is an effort to try to keep a half-step ahead of the bad guys. As the Naked Security Blog pointed out, the bad guys are also interested in the newest patches so they can exploit all of these newly announced vulnerabilities. Delaying the patches means the hackers know exactly where they can slip into your network and take over your machines.
That IE has yet another flaw that needs to be patched disturbs me. (That people are still using IE6 is even more disturbing . . .). I keep hearing that the newer versions of IE are supposed to be more secure, yet, it seems that every month a new hole is found. At this point, it is time to question whether the browser can ever be secure.