Although Lumension security and forensic analyst Paul Henry are calling it a "pretty sweet Valentine's Day" for Microsoft, given the relatively light patch load for the month, additional patches from Adobe may spoil the mood for others.
VALENTINE'S DAY PATCH TUESDAY: Microsoft to issue 9 patches, 4 critical
As previously noted, four of Microsoft's nine security bulletins are deemed "critical." The most important, Henry says, are the two bulletins that have been publicly disclosed. One is susceptible to remote code execution in Windows, while the other addresses a similar vulnerability in Silverlight and the .NET Framework.
Beyond that, Henry believes the two patches deemed "important" should receive higher priority because they have also been publicly disclosed. Both are susceptible to remote code execution in Windows, one through the Color Control Panel and the other through Indeo Codec.
However, given the recent spike in browser-based attacks, Qualys CTO Wolfgang Kandek says the patch for four privately discovered vulnerabilities in Internet Explorer -- MS12-110 -- should receive the most attention.
"We have seen how quickly attackers can react to new vulnerabilities when exploits for MS12-004 appeared within 2 weeks of its release on attack sites," Kandek says. "So while none of the vulnerabilities in MS12-010 were publicly known, you should install this fix as quickly as possible."
Although it surpassed the seven bulletins released last month, the nine patches issued today is a low for the month of February since 2009. That's a sign that a focus on security may be paying off for Redmond, Henry says.
However, a happy Valentine's Day for Microsoft doesn't necessarily mean the same for the IT department. Citing Oracle's concurrent release of patches for 14 Java vulnerabilities, which have been targeted particularly frequently of late, Henry says some support teams may have their hands full.
"The light patch load from Microsoft does not mean IT can sit back and relax however," Henry says. "A significant patch update from Oracle came out recently and, as always, threats targeting Java must be addressed, as currently it is the bad guys' most popular attack vector."
Similarly, Adobe released five security bulletins today as well. Four of the patches, specifically those addressing vulnerabilities in Shockwave Player, Flash Media Player Server, Flash Player and Photoshop, were deemed critical, while another targeting vulnerabilities in Robohelp was rated important.