ITC Security Threat of the Week – Week 21: It’s critical Patch Tuesday – Listen Up!

Today’s Microsoft patch updates contain critical updates for all versions of Windows, you read it right, that is ALL versions of Windows desktop AND server.

If that wasn’t bad enough, so will Visual Studio, Microsoft Office, Microsoft Lync, .NET Framework, and Silverlight. Internet Explorer 6 also needs patching on XP through to RT !

These critical patches include some exploitable issues, one of which was helpfully made public by a Google researcher (thanks for nothing Tavis Ormandy) who doesn’t like the way Microsoft treat security researchers. To be honest with this many issues, it’s no wonder Microsoft are irritated by them!

Our friends at Qualys (at least their CTO Wolfgang Kandek) has been quoted as saying that ‘the IE vulnerabilities and a remote code execution issue in Windows, Office and Lync should be prioritised in the upcoming security triage process’.

Which raises the issue: Do you have a security triage process?

With this many critical issues to be addressed, the patching schedule needs to be prioritised. At ITC, we recommend that this is a manual activity based on an understanding of the estate supported by automatic vulnerability assessment using up to date scanning tools (we recommend Qualys but understand that you may use a different product – as long as it is up to date!).

We also recommend that patch levels are included in your Network Access Control policy, if you have one, which you should in the scary world of Bring Your Own Device (BYOD).

If you would like to discuss patching prioritisation, vulnerability assessment, network access control or in fact any aspect of information security, we have some people who would love to help you out, really we do.

Contact via phone: 020 7517 3900 or email: [email protected].