The four critical bulletins affect Sharepoint (#1), Outlook (#2), Internet Explorer (#3) and XP and Windows 2003 (#4). These should take priority, with most commentators concentrating on bulletins #1, #2 and #3.
"IT’s first priority this month," warns Lumension's security and forensics analyst Paul Henry, "should be bulletin 3 – a remote code execution impacting the very popular browsers of IE 6, 7 and 8."
"Bulletin #3 is a critical update for Internet Explorer (IE) affecting all versions starting from IE6 to IE10 and including Windows 8 and Windows RT," explains Wolfgang Kandek, CTO at Qualys.
"Next in line," suggests Henry, "should be bulletin #1, a critical remote code execution vulnerability in another popular tool, Sharepoint." Kandek agrees that this should have the highest priority for server administrators, but warns that it will require "diligent testing to assure that the patch does not impact any business critical functionality."
Tommy Chin, a technical support engineer at CORE Security, explains the urgency: “The data on a server machine is typically worth more than data on a workstation machine and it is fairly easy to discover SharePoint servers using Google”, he warns. “Attackers can leverage this easy-to-obtain list, and start hammering on SharePoint servers around the world.”
Bulletin #2 is considered equally urgent: "it addresses a flaw in Microsoft Office that can be triggered simply by previewing an e-mail in Outlook, even without explicitly opening the e-mail. Outlook in Office 2007 and 2010 is affected," explains Kandek.
The problem for users is that Outlook automatically displays the content of each email it previews. Andrew Storms, director of DevOps at CloudPassage, suggests that users should disable the preview pane in Outlook 2007 and 2010 until more is known of bulletin #2's vulnerabilities come next Tuesday.
Bulletin #4 is the last of the critical updates. It affects XP and Windows 2003. Users still using this software should patch as soon as possible, but should equally be planning to upgrade to newer software. "Bulletin #4, the last critical bulletin, addresses a flaw in Windows, but only affects the soon-to-be legacy operating systems Windows XP and Windows Server 2003," explains Kandek. "You should be phasing those out by now since they lose support for security patches in April of next year, similar to Office 2003 which will also lose support in April."
The Catch 22 of Patch Tuesday is particularly relevant this month. By batching the patches, Microsoft creates a heavy load on the sys admins, making it difficult to do everything all at once. But merely releasing the bulletins makes it all the more important to do so. Craig Young, a security researcher at Tripwire, explains the problem: "Network administrators will likely see an uptick in phishing attacks using crafted Office documents as attackers quickly reverse Microsoft’s patches to create 0.5 day exploits.”