Bulletins 1 and 2 deal with vulnerabilities in all versions of Internet Explorer. They are marked critical, and could lead to malicious code exploitation without any user interaction – such as via drive-by downloading and exploit kits. Users of IE 10 will be updated automatically; but all other users should update as soon as possible on Tuesday.
Paul Henry, a security and forensic analyst with Lumension, believes that it’s possible “that this is related to the recent and ongoing Java issues. Microsoft has a very close relationship with Oracle, so it wouldn’t surprise me if these bulletins include Java patches.”
Bulletin 3, also critical, affects XP and Vista, and Windows Server 2003 and 2008; while Bulletin 12 (critical) affects XP SP3 only. “Bulletin 4 [critical],” suggests Wolfgang Kandek, CTO at Qualys, “is the expected Patch to Microsoft Exchange, which uses the Outside-In software library from Oracle that contains critical vulnerabilities and that Oracle updated in last month's Critical Patch Update (CPU).”
The remaining seven bulletins are all marked important. Bulletin 5 can lead to remote code execution and affects Office and Server software. The main difference between the critical and important labels is that ‘important’ requires some user interaction – such as accepting a warning pop-up – while ‘critical’ requires none. Where end-user software is concerned, such as Office, this can be an academic rather than effective distinction. Some users automatically click ‘OK’ on OS warnings without any conscious interaction. Admins may generally be advised, then, to consider important end-user bulletins with the same urgency as critical bulletins.
Bulletins 6 and 10 address vulnerabilities that can lead to denial of service against Windows Server 2008 and 2012 (both), and also Vista and Windows (Bulletin 10). The remaining bulletins all address vulnerabilities that can lead to an escalation of privilege; “Meaning,” notes Kandek, “that one already has to be on the targeted computer to be able to attack them.” The problem with the modern advanced threat is that this may have already happened – possibly via the critical vulnerabilities that are dealt with in Bulletins 1 and 2.
Since two of the critical bulletins and five of the important bulletins all require a system restart (the remaining five bulletins ‘may’ require a restart), February’s Patch Tuesday promises to be somewhat disruptive.