Bulletins 1 and 2 concern critical vulnerabilities affecting only the newer Windows 7 and 8 operating systems. "The first patches a remote code execution vulnerability that affects Windows 7 through to Windows 8.1, including 8.1 RT. The second, also a remote code execution, is actually an issue in Forefront Protection for Exchange Server (2010)," explains Ross Barrett, senior manager of security engineering at Rapid7.
On bulletin 2, Ken Pickering, director of engineering at CORE Security, points out the irony that "a product (Forefront for Exchange) that is a designed to protect a service actually allows a remote code execution and weakens the security posture of the target system." His colleague Tommy Chin, a technical support engineer, CORE Security suggests that this should make bulletin 2 the priority: "It would be tragic to let the Forefront software protecting your Exchange Server be part of the attack path an attacker uses as the open door."
Barrett agrees with this interpretation. "Given a remote code execution in a perimeter service like Forefront, I’d have to say that this is the highest priority patching issue this month." He adds that the next priority is "not surprisingly, the critical [bulletin 1] in Windows 7 and later."
"Bulletins #3 and #4 are local vulnerabilities for all versions of Windows, and address an elevation of privilege and an information disclosure vulnerability respectively," writes Wolfgang Kandek, CTO at Qualys. "Bulletin #5 addresses a Denial of Service condition in Windows 8."
These last three can be given a slightly lower priority. "The other three issues are all of lower risk and likely lower exploitability, ranging from information disclosure to denial of service and elevation of privilege," says Barrett. They're "not to be ignored, but should be of slightly less concern than remote critical vulnerabilities.”
Both Pickering and Chin, however, suggest that bulletin 3 should be the next priority after bulletins 1 and 2. "An elevation of Privilege (Bulletin 3) on .NET is always interesting, warns Pickering, "since if you’re running in a Microsoft shop, you’re also likely running .NET applications. People running .NET applications on machines with reduced permissions (a great policy to have) should make this update as soon as possible." Chin points out that "it can compromise all operating systems via privilege escalation except Windows Server 2008 SP2 Server Core," and adds, "I would pay close attention to patching this one."
Ziv Mador, director of security research at Trustwave, points out that even though it's a light Patch Tuesday this month, nearly everyone will be affected somewhere. "Since the three 'Important' Windows bulletins combined affect a widespread of Windows versions, it’s likely that this security release will affect you. Only one bulletin will require a system restart. Unfortunately this is a Windows patch mitigating a denial-of-service vulnerability affecting all versions of Windows from XP to Windows 8.1. To keep a long story short, plan on grabbing a cup of coffee sometime next Tuesday while these systems restart after the patch install."
Executive Sumary
Bulletin ID | Maximum Severity Rating and Vulnerability Impact | Restart Requirement | Affected Software |
---|---|---|---|
Bulletin 1 | Critical Remote Code Execution |
May require restart | Microsoft Windows |
Bulletin 2 | Critical Remote Code Execution |
May require restart | Microsoft Security Software |
Bulletin 3 | Important Elevation of Privilege |
May require restart | Microsoft Windows, Microsoft .NET Framework |
Bulletin 4 | Important Information Disclosure |
May require restart | Microsoft Windows |
Bulletin 5 | Important Denial of Service |
Requires restart | Microsoft Windows |