This is the first in a series of information blogs from AVG’s SMB community designed to analyze the state of the patch environment. Our commentary will initially focus on the Microsoft Windows operating system but may extend outwards after time.
Patches are of course software code updates issued to update applications. Often focused on application security vulnerabilities, patches also address performance and usability. Microsoft has dubbed the second Tuesday of every month ‘Patch Tuesday’ and uses this day to update products across its suite of applications and the Windows operating system itself.
Microsoft issues patches for all of its “currently supported” applications and operating systems, so updates for Windows XP will sit along updates to Windows 7 and so on.
This February’s update included a total of 21 patches dedicated to fixing flaws found in Windows, Microsoft Office, Internet Explorer and .NET/Silverlight. The Internet Explorer patch was rated as “critical” as it relates to the risk of code execution attacks via drive-by downloads.
Microsoft usually recommends a restart after critical patch updates are downloaded and applied, as it has done this February 2012. Lesser patch updates ranked as “important” may not always require a restart.
Of special importance this month is patch bulletin ID MS12-013. Microsoft specifies that this security update resolves a privately reported vulnerability in Microsoft Windows.
According to the company’s security bulletin, “The vulnerability could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment. An attacker who successfully exploited the vulnerability could gain the same user rights as the local user.”
Microsoft’s Patch Tuesday bulletin deployment priority chart will guide you through patch criticality and additional related information: http://bit.ly/zPz22J