As anticipated, the latest round of Microsoft's Patch Tuesday monthly release of security fixes addresses a widely known IE (Internet Explorer) vulnerability already being exploited by malicious hackers.
[ InfoWorld's expert contributors show you how to secure your Web browsers in a free PDF guide. Download it today! | Learn how to protect your systems with Roger Grimes' Security Adviser blog and Security Central newsletter, both from InfoWorld. ]
The critical IE bulletin covers one publicly disclosed vulnerability and nine vulnerabilities not yet known by the public. The other three critical bulletins address flaws in the Windows OS. Three of the bulletins marked as important address issues with Microsoft Office, and the fourth remedies a problem in Silverlight.
Administrators should apply the patch for the IE vulnerabilities first, advised Wolfgang Kandek, CTO of IT security firm Qualys.
This month's collection also marks the 10th anniversary of Microsoft's Patch Tuesday, which the company started in October 2003 in order to bundle security patches into monthly release cycles, which would allow system administrators to apply them all at the same time, rather than deal with each patch individually.
Although holding on to crucial patches for up to 30 days can be potentially problematic in terms of security -- at least for those patches that address publicly known vulnerabilities -- the monthly release cycle has been beneficial for the industry, in that it brings order to an otherwise unruly process of staying ahead of those who exploit vulnerabilities for nefarious purposes, Kandek said.
"Our perspective has certainly evolved from 10 years ago when Patch Tuesday was started. Back then vulnerabilities were clear cut and straightforward to understand. Today the amount of complexity that goes into the detection and remediation process is truly impressive," Kandek later added in an e-mail statement.
The IE public vulnerability, works by exploiting how IE accesses computer memory, allowing a maliciously designed Web page to gain user privileges on a computer. "Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," a Microsoft advisory warned.