What would Patch Tuesday be without a Critical IE Cumulative Update. It would probably just feel wrong. So it is no surprise that the lead in patch for this month was an IE Cumulative, was rated Critical, and covers a whopping 18 CVE’s Needless to say this is the most important update to push for March.
There was also a Security Advisory for IE and an Update from Google Chrome to add plug-in support for the Adobe Flash patch that released on the 11th. While this Flash update was only rated as a Priority 2 (by Adobe’s definition of severity), this update replaces APSB14-07 from February 20th which was a Priority 1. That update resolves three CVE’s of a more serious nature. Unless you are patching your endpoints multiple times each month that puts the Flash update to a high priority in our opinion. The other two Flash updates we have seen so far this year (1/14 and 2/4) resolve three additional high priority CVE’s. Long story short, UPDATE FLASH!
Google Chrome had a update to the Stable Channel resolving 4 high priority CVE’s and 3 additional vulnerabilities that were not as severe. The 4 high’s plus the Flash plug-in push Chrome up into the spotlight with IE and Flash this month. Roll those three product updates out ASAP!
Aside from that Microsoft did have another Critical update this month, in DirectShow (MS14-013), which should be a priority. While there are no active attacks currently identified, the vulnerability could allow for Remote Code Execution by enticing a user to click on a JPG file in IE. This type of exploit reemphasizes the importance of the least privilege rule. It could mean the difference between giving the attacker keys to the kingdom vs keys to the room they entered.
The Important bulletins for March may not be as high of a priority, but we have two Security Feature Bypass exploits in the SAMR protocol and in Silverlight. Although possibly more difficult to exploit and not currently being exploited in the wild, you will want to get these rolled out in a timely manner. We also have a Kernel-Mode Driver to update. Again, only rated as Important, but as with all Kernel updates, you will want to ensure proper testing before rolling out.
For these types of updates and more, join us each month for the Shavlik Patch Tuesday webinar. In this monthly webinar we discuss the Microsoft and 3rd Party updates that affect you and your users. We focus on Patch Tuesday, but we also discuss what happens in between. Remember, 86% of attacks of reported vulnerabilities target 3rd Party applications. Those vendors do not release on the same schedule as Microsoft and what happens between Patch Tuesdays can often be of more importance than what happens on Patch Tuesday.