Every month, on the second Tuesday, it’s Patch Tuesday for Microsoft users.
That means that the company grabs its fixes and vulnerability patches – designed to protect computer users from hackers and malware exploiting flaws in Microsoft’s products – and rolls them up into a bundle of security updates and bulletins.
For the benefit of highly-stressed IT staff around the globe, the software company releases a pre-announcement in the days running up to Patch Tuesday, giving a few details of the products that are likely to be patched, and the severity level of flaws that are fixed.
Yesterday, 11 February 2013, was the second Tuesday of the month, and sure enough Microsoft issued its latest security updates.
But what was different on this occasion was there were two additional critical bulletins included in the mix that hadn’t been included in Microsoft’s initial pre-announcement – and one of them was a mammoth Internet Explorer update that addresses a whopping 24 vulnerabilities.
Those Internet Explorer flaws cover versions of the browser going all the way back to IE 6.
(By the way, if you’re still using a version of Internet Explorer that old and creaky, I can only imagine you get a kick out of playing Russian Roulette with your computer’s safety).
In all, Microsoft issued seven patch bundles, addressing over 30 vulnerabilities in Windows and related software.
Perhaps the most serious vulnerabilities are those that allow remote code execution, such as that addressed by Microsoft Security Bulletin MS14-007.
Simply viewing a webpage boobytrapped with that critical vulnerability could silently run malware on your computer, infecting your PC.
As Microsoft describes:
“An attacker would have to convince users to take action, typically by getting them to click a link in an email message or in an Instant Messenger message that takes users to an attacker’s website, or by getting them to open an attachment sent through email.”
Of course, if you’re running Windows you should apply all of the fixes at the earliest opportunity. Indeed, if you are a home user, my recommendation is to set up your computer to automatically install security updates.
That’s a sensible course of action because some of the vulnerabilities fixed this Patch Tuesday have already been publicly disclosed, meaning there has been an opportunity for malicious hackers to already exploit them.
However, if you are responsible for a company’s protection, it’s not unusual to test the patches before rolling them out across your entire enterprise.
That’s simple good practice for many businesses. After all, in the past, Microsoft security patches have sometimes been flawed – and caused more problems than the vulnerability they are attempting to fix.
If your system administrator looks a little frazzled this week, be nice to him or her and don’t grumble too much about the photocopier being jammed. It may be that they have more serious issues on their mind.
For more details on Microsoft’s Patch Tuesday security updates, visit the Microsoft website.
Author Graham Cluley, We Live Security