Security Experts:

Microsoft Slates Critical Patch Tuesday Updates for Windows, Security Software

Microsoft is planning to release five security bulletins next week for this month's Patch Tuesday, including two that are rated 'critical.'

According to the company, the critical bulletins address remote code execution issues in Microsoft Windows and Security Software, while the other bulletins - which are all rated 'important' - address various issues in Windows and the .NET Framework.

"Microsoft continues the trend they started last month of keeping Patch Tuesday relatively light," said Ross Barrett, senior manager of security engineering at Rapid7. 

"The two critical advisories are unusual in that they don’t touch older versions of Windows or Internet Explorer," he added. "The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT.  The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010). Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month.  The second is, not surprisingly, the critical in Windows 7 and later."

Researchers with CORE Security suggested organizations treat the second bulletin with the highest priority.

"It would be tragic to let the Forefront software protecting your Exchange Server be part of the attack path an attacker uses as the open door," said Tommy Chin, technical support engineer, CORE Security. "Bulletin 4 seems to be interesting as well. The type of information disclosed by this vulnerability would be interesting to know since it affects all major Windows operating systems."

The security updates will be released Feb. 11. So far, 2014 has been a quiet one for Microsoft updates. In January, the company issued just four security bulletins, and none of them were classified as 'critical.' But IT departments have other security updates to worry about.

"Adobe released an emergency fix this week to patch vulnerabilities in the Flash Player plug in for IE and other browsers," noted Russ Ernst, director of product management at Lumension, in a blog post. "These vulnerabilities are under active attack and given the wide spread use of Flash in browsers, this will create a cascading affect for companies like Firefox, Google and others to also address it."

Subscribe to the SecurityWeek Email Briefing
view counter