At a deployment priority of two is MS14-008, a vulnerability in Microsoft Forefront Protection for Exchange that could allow remote code execution. This bulletin is rated as critical and addresses a privately reported vulnerability. Although the bulletin has a critical severity, the vulnerability is applicable to a software product that Microsoft stopped updating back in September 2012. This is an example of Microsoft honoring their commitment to fixing any security gaps in this application, but this should make administrators think about upgrading their Exchange servers to the latest version (which includes basic anti-malware protection by default) or considering a third-party email security application. Administrators that currently use Forefront Protection for Exchange have until December 2015 to get this done.
Microsoft was looking to deliver a light Patch Tuesday this month, but added two last-minute bulletins to the mix. February now includes seven bulletins, four critical and three important, that cover a total of 32 CVEs. The patches address vulnerabilities in Windows, Internet Explorer, Security Software and the .NET framework. Russ Ernst, director of product management at Lumension, takes a closer look at this February's Patch Tuesday.