Bulletin 1 involves Internet Explorer versions 6 through 11. Since the zero-day vulnerability highlighted by FireEye in February being used in the watering hole attack it dubbed Operation Snowman affects only IE 9 and 10, other vulnerabilities are also being fixed. IE versions 10 and 11 will be fixed automatically. Any company using any other version should treat this as the priority and patch as soon as possible.
Bulletin 2 is also marked critical and should be given the second highest priority. It affects most versions of Windows from XP to 8.1, excluding only Windows RT. Like bulletin 1, the vulnerability could lead to remote code execution. "These two are where we should focus our patching efforts," comments Ross Barrett, senior manager of security engineering at Rapid7.
Bulletin 3 addresses an elevation of privilege issue. It's "probably going to be a kernel or kernel driver patch," comments Barrett; "never something to ignore but less important than a critical/remote issue."
The remaining two, he said, are "probably the same issue being patched in Windows and in Silverlight. We will have to wait and see how exploitable this turns out to be. If it turns out that some of these issues are “in the wild” and under exploitation, then that will be change the circumstances of what to prioritize.”
It is bulletin 5 that specifically addresses Silverlight. Tyler Reguly, manager of security research at Tripwire suggests the best way to patch Silverlight would be for developers to stop using it. "Given the limited adoption of Silverlight and the implied support Microsoft gave Flash when they bundled it in IE 11, it's surprising that Silverlight has not been shelved yet. In a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight."
But there's an unstated bulletin that we should perhaps include: any user still using XP should not just consider, but should be actively planning to upgrade to a newer version – at least 7 or 8. There are now less than 30 days until Microsoft's general support for XP will be withdrawn: there will be only one more Patch Tuesday that might include a security patch for XP. After that time, new vulnerabilities will not be addressed; and hackers will have free reign with them.
Writing on GFI Software's blog, Deb Shinder warns that it's not just the visible XPs could be a problem: a company may not have XP on the premises, but needs to be sure that no employee is using XP at home and connecting to the corporate network. "On that basis alone," she says, "it is advisable that businesses update their policies and set up technological safeguards to prevent telecommuters and mobile workers from accessing mission critical network resources with their home computers and laptops until they’ve upgraded to an OS that is still supported.”