Patch Tuesday Not Too Taxing for IT This Month, Despite Heavy Patch Count

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
Next Patch Tuesday Not Too Taxing for IT This Month, Despite Heavy Patch Count-2 Next

For the April patches, your first priority is MS13-028, which is a use-after-free issue in all versions of IE. This is one of the few bulletins this month that has a critical impact on the current code, hitting Windows 8, Windows RT and Windows 7 with a critical remote code execution issue. It’s a pretty run-of-the-mill bug for the most part. However, there is a defense-in-depth issue here that was not assigned a CVE because it’s dependent on the user having Java 6.0 or older installed. Given the number of issues Java’s had lately, hopefully no one is still running old versions of Java. If you haven’t updated the software to 7.0 or newer, please do so immediately. Java 7.0 has an automatic update feature that will help keep machines secure with minimal effort from users as we wait for HTML5 to be ready for broad use. Henry recommends that this bulletin be your first patch and you should update Internet Explorer while you’re at it.

According to Paul Henry, security and forensic analyst at Lumension, it’s another heavy month of patches this month from Microsoft. There are nine bulletins, with two critical and seven important. While nine may seem like a lot, there are a few pieces of good news this month. First, there are only two critical bulletins and most of the patches are rated important. Second, most of the impact is on the legacy code base, rather than the current code that has been impacted more than usual over the last few months. If your system is running the latest and greatest versions of software – as you should always do, since newest is usually the most secure – then you should be minimally impacted this month. And finally, Microsoft is not your biggest issue this month, despite nine patches.

As we enter into our first patch of Q2, it’s worthwhile to look at the numbers. This year, Microsoft has issued 35 bulletins so far, with an average of almost nine per month, of which about three are critical and six are important. Compare to 2012, where there were 28 bulletins by April, averaging seven per month. Though the overall number is up from 2012, the number of average critical vulnerabilities is holding steady at about three, while important vulnerabilities make up the difference, averaging four in 2012. With the number of important bulletins increasing, but critical holding steady, we can infer that Microsoft gets better every year at finding the low-risk, low-impact issues and getting them fixed in a timely manner. This is good news.

Before diving into the patches, there are a few other Microsoft issues to note, including an expected Flash update next week, which users should be prepared for. More importantly, this month marks the one year “death clock” for XP. In April 2014, Microsoft will end support for Windows XP. If you haven’t already, it’s time to start thinking about migrating to a new OS if you’re still running XP.

 

Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

 
More Slideshows

IT security careers The Most In-Demand Security Jobs and How to Get Them

Security professionals are in demand right now, and entry-level security jobs generally fall into either an engineer or analyst role. Find out more about required skills and career paths. ...  More >>

142x105itbeusasecurity2.jpg 9 Predictions for Cybersecurity’s Role in Government and Politics in 2017

Experts predict how cybersecurity will affect and involve our government, policies and politics in 2017. ...  More >>

Shadow IT Security How Risky Behaviors Hurt Shadow IT Security

Examine some of the concerns involving shadow IT security and some of the riskiest behaviors, applications and devices. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.