Microsoft Patch Tuesday March 2014

This month's Patch Tuesday, which is on March 11,  contains five bulletins, two are marked critical and three are marked important.

One of the critical bulletins addresses Internet Explorer, and is believed to include a fix for the zero-day vulnerability highlighted by FireEye last month. Three fixes require a computer restart.

Bulletin 1 involves Internet Explorer versions 6 through 11. Since the zero-day vulnerability highlighted by FireEye in February being used in the watering hole attack it dubbed Operation Snowman affects only IE 9 and 10, other vulnerabilities are also being fixed. IE versions 10 and 11 will be fixed automatically. Any company using any other version should treat this as the priority and patch as soon as possible. 

Bulletin 2 is also marked critical and should be given the second highest priority. It affects most versions of Windows from XP to 8.1, excluding only Windows RT. Like bulletin 1, the vulnerability could lead to remote code execution. "These two are where we should focus our patching efforts," comments Ross Barrett, senior manager of security engineering at Rapid7.

Bulletin 3 addresses an elevation of privilege issue. It's "probably going to be a kernel or kernel driver patch," comments Barrett; "never something to ignore but less important than a critical/remote issue."

The remaining two, he said, are "probably the same issue being patched in Windows and in Silverlight.  We will have to wait and see how exploitable this turns out to be.  If it turns out that some of these issues are “in the wild” and under exploitation, then that will be change the circumstances of what to prioritize.”

It is bulletin 5 that specifically addresses Silverlight. Tyler Reguly, manager of security research at Tripwire suggests the best way to patch Silverlight would be for developers to stop using it. "Given the limited adoption of Silverlight and the implied support Microsoft gave Flash when they bundled it in IE 11, it's surprising that Silverlight has not been shelved yet. In a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight."

If you are a MAC user running Siverlight, should'nt this program be patched?????

But there's an unstated bulletin that we should perhaps include: any user still using XP should not just consider, but should be actively planning to upgrade to a newer version – at least 7 or 8. There are now less than 30 days until Microsoft's general support for XP will be withdrawn: there will be only one more Patch Tuesday that might include a security patch for XP. After that time, new vulnerabilities will not be addressed; and hackers will have free reign with them.

Writing on GFI Software's blog, Deb Shinder warns that it's not just the visible XPs could be a problem: a company may not have XP on the premises, but needs to be sure that no employee is using XP at home and connecting to the corporate network. "On that basis alone," she says, "it is advisable that businesses update their policies and set up technological safeguards to prevent telecommuters and mobile workers from accessing mission critical network resources with their home computers and laptops until they’ve upgraded to an OS that is still supported.”

Bulletin ID Maximum Severity Rating and Vulnerability Impact Restart Requirement Affected Software
Bulletin 1 Critical 
Remote Code Execution
Requires restart Microsoft Windows,
Internet Explorer
Bulletin 2 Critical 
Remote Code Execution
May require restart Microsoft Windows
Bulletin 3 Important 
Elevation of Privilege
Requires restart Microsoft Windows
Bulletin 4 Important 
Security Feature Bypass
Requires restart Microsoft Windows
Bulletin 5 Important 
Security Feature Bypass
Does not require restart Microsoft Silverlight

 

Windows Operating System and Components
Windows XP
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important Important
Windows XP Service Pack 3 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Service Pack 3
(Critical)
Windows XP Service Pack 3
(Important)
Windows XP Service Pack 3
(Important)
Windows XP Professional x64 Edition Service Pack 2 Internet Explorer 6 
(Critical)

Internet Explorer 7 
(Critical)

Internet Explorer 8 
(Critical)

Windows XP Professional x64 Edition Service Pack 2
(Critical)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows XP Professional x64 Edition Service Pack 2
(Important)
Windows Server 2003
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2003 Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 Service Pack 2
(Critical)
Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2 Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Windows Server 2003 x64 Edition Service Pack 2
(Critical)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 x64 Edition Service Pack 2
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems Internet Explorer 6 
(Moderate)

Internet Explorer 7
(Moderate)

Windows Server 2003 with SP2 for Itanium-based Systems
(Critical)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Server 2003 with SP2 for Itanium-based Systems
(Important)
Windows Vista
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important Important
Windows Vista Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista Service Pack 2
(Critical)
Windows Vista Service Pack 2
(Important)
Windows Vista Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2 Internet Explorer 7
(Critical)

Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Windows Vista x64 Edition Service Pack 2
(Critical)
Windows Vista x64 Edition Service Pack 2
(Important)
Windows Vista x64 Edition Service Pack 2
(Important)
Windows Server 2008
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for 32-bit Systems Service Pack 2
(Critical)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 Internet Explorer 7
(Moderate)

Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Windows Server 2008 for x64-based Systems Service Pack 2
(Critical)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2
(Important)
Windows Server 2008 for Itanium-based Systems Service Pack 2 Internet Explorer 7
(Moderate)
Not applicable Windows Server 2008 for Itanium-based Systems Service Pack 2
(Important)
Not applicable
Windows 7
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important None
Windows 7 for 32-bit Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Internet Explorer 11 
(Critical)

Windows 7 for 32-bit Systems Service Pack 1
(Critical)
Windows 7 for 32-bit Systems Service Pack 1
(Important)
Not applicable
Windows 7 for x64-based Systems Service Pack 1 Internet Explorer 8
(Critical)

Internet Explorer 9 
(Critical)

Internet Explorer 10 
(Critical)

Internet Explorer 11 
(Critical)

Windows 7 for x64-based Systems Service Pack 1
(Critical)
Windows 7 for x64-based Systems Service Pack 1
(Important)
Not applicable
Windows Server 2008 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2008 R2 for x64-based Systems Service Pack 1 Internet Explorer 8
(Moderate)

Internet Explorer 9 
(Moderate)

Internet Explorer 10 
(Moderate)

Internet Explorer 11 
(Moderate)

Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Critical)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1
(Important)
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 Internet Explorer 8
(Moderate)
Not applicable Windows Server 2008 R2 for Itanium-based Systems Service Pack 1
(Important)
Not applicable
Windows 8 and Windows 8.1
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical Critical Important None
Windows 8 for 32-bit Systems Internet Explorer 10 
(Critical)
Windows 8 for 32-bit Systems
(Critical)
Windows 8 for 32-bit Systems
(Important)
Not applicable
Windows 8 for x64-based Systems Internet Explorer 10 
(Critical)
Windows 8 for x64-based Systems
(Critical)
Windows 8 for x64-based Systems
(Important)
Not applicable
Windows 8.1 for 32-bit Systems Internet Explorer 11 
(Critical)
Windows 8.1 for 32-bit Systems
(Critical)
Windows 8.1 for 32-bit Systems
(Important)
Not applicable
Windows 8.1 for x64-based Systems Internet Explorer 11 
(Critical)
Windows 8.1 for x64-based Systems
(Critical)
Windows 8.1 for x64-based Systems
(Important)
Not applicable
Windows Server 2012 and Windows Server 2012 R2
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Moderate Critical Important Important
Windows Server 2012 Internet Explorer 10 
(Moderate)
Windows Server 2012
(Critical)
Windows Server 2012
(Important)
Windows Server 2012
(Important)
Windows Server 2012 R2 Internet Explorer 11 
(Moderate)
Windows Server 2012 R2
(Critical)
Windows Server 2012 R2
(Important)
Windows Server 2012 R2
(Important)
Windows RT and Windows RT 8.1
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating Critical None Important None
Windows RT Internet Explorer 10 
(Critical)
Not applicable Windows RT
(Important)
Not applicable
Windows RT 8.1 Internet Explorer 11 
(Critical)
Not applicable Windows RT 8.1
(Important)
Not applicable
Server Core installation option
Bulletin Identifier Bulletin 1 Bulletin 2 Bulletin 3 Bulletin 4
Aggregate Severity Rating None None Important Important
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Not applicable Not applicable Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Not applicable Not applicable Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation) Not applicable Not applicable Windows Server 2012 (Server Core installation)
(Important)
Windows Server 2012 (Server Core installation)
(Important)
Windows Server 2012 R2 (Server Core installation) Not applicable Not applicable Windows Server 2012 R2 (Server Core installation)
(Important)
Windows Server 2012 R2 (Server Core installation)
(Important)

Bottom Line:

1. If you are a MAC or Linux user and use Silverlight, you may need to patch Silverlight

2. Be sure to restart your Windows Servers and Computers Wednesday morning

3. If you are still using Windows XP, Let's talk about a plan as April ends support for Windows XP