Patch Tuesday Not Too Taxing for IT This Month, Despite Heavy Patch Count

Email     |     Share  
1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13
Next Patch Tuesday Not Too Taxing for IT This Month, Despite Heavy Patch Count-10 Next

MS13-036 is another kernel mode drivers issue, similar to the other kernel issue this month. There are four CVEs for this patch. Three allow a local user to use kernel raise conditions to elevate to system access. The fourth CVE is a moderate elevation of privilege issue, which is unusual for Microsoft. To leverage this CVE, an attacker would need to be an admin, which removes the need to leverage it. Alternatively, a low-rights user would need to use a specially crafted external device, such as an USB. Last month, Microsoft had an interesting USB bug that got a lot of attention. This is nothing like that. Last month’s bug allowed computers to be attacked regardless of the user’s log-in status. This month’s bug only allows a logged-on, active system to be attacked, so logon credentials are required. There are easier ways for an attacker to get in.

According to Paul Henry, security and forensic analyst at Lumension, it’s another heavy month of patches this month from Microsoft. There are nine bulletins, with two critical and seven important. While nine may seem like a lot, there are a few pieces of good news this month. First, there are only two critical bulletins and most of the patches are rated important. Second, most of the impact is on the legacy code base, rather than the current code that has been impacted more than usual over the last few months. If your system is running the latest and greatest versions of software – as you should always do, since newest is usually the most secure – then you should be minimally impacted this month. And finally, Microsoft is not your biggest issue this month, despite nine patches.

As we enter into our first patch of Q2, it’s worthwhile to look at the numbers. This year, Microsoft has issued 35 bulletins so far, with an average of almost nine per month, of which about three are critical and six are important. Compare to 2012, where there were 28 bulletins by April, averaging seven per month. Though the overall number is up from 2012, the number of average critical vulnerabilities is holding steady at about three, while important vulnerabilities make up the difference, averaging four in 2012. With the number of important bulletins increasing, but critical holding steady, we can infer that Microsoft gets better every year at finding the low-risk, low-impact issues and getting them fixed in a timely manner. This is good news.

Before diving into the patches, there are a few other Microsoft issues to note, including an expected Flash update next week, which users should be prepared for. More importantly, this month marks the one year “death clock” for XP. In April 2014, Microsoft will end support for Windows XP. If you haven’t already, it’s time to start thinking about migrating to a new OS if you’re still running XP.


Related Topics : Unisys, Stimulus Package, Security Breaches, Symantec, Electronic Surveillance

More Slideshows

Social14-190x128.jpg 10 Ways to Improve Your Social Media Security Policy and Posture

When phone calls, video conference information, pictures, chat logs, etc. are all stored in a central location via social media, a potential hacker has access to just about everything, quickly and easily. ...  More >>

Security120-290x195 5 DDoS Myths Debunked

Unearth the real story behind five commonly held myths about distributed denial-of-service attacks. ...  More >>

Security119-190x128 8 Tips for Ensuring Employee Security Compliance

IT security ultimately depends on making sure employees use the appropriate tools and comply with policies designed to protect them and their data/applications. ...  More >>

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.