Microsoft released Thursday a preview of nine security patches scheduled for release on Valentine's Day to fix almost two-dozen vulnerabilities, some critical, in Windows and other software.
The four critical fixes, which Microsoft calls bulletins, get the highest rating because they could allow a hacker to run malicious code in Microsoft software from a remote location. Three of the patches will require a computer reboot to install.
Two of the critical patches are for Windows, while another fixes the Silverlight media player and the fourth the Internet Explorer browser. "We're seeing a great many browser patches from Microsoft these days because researchers and attackers have realized that browser exploits have the most potential for harm and are currently the best attack surface," Marcus Carey, security researcher at Rapid7, said in an e-mail. Boston-based Rapid7 sells software tools for testing application security.
The Silverlight patch is the fourth critical fix over the last few months for the media player, which has also become a favorite target of hackers, along with third-party browser plug-ins, Carey says. "Media players and browser plug-ins are very popular attack vectors these days."
Microsoft releases security bulletins the second Tuesday of each month. The number of patches released each month has been dropping year to year, with this month's release containing three fewer bulletins than the one a year ago. But the number of critical patches this year is higher, four compared to three.
Overall, Microsoft's releases this year have been light. In January, the company published seven bulletins. "All in all, it's a pretty sweet Valentine's," Paul Henry, security and forensic analyst at Scottsdale, Ariz.-based business security vendor Lumension, said in a statement. "We've had two fairly light patching periods in a row."
The remaining bulletins in the latest release are rated important, the next step below critical. Three would enable a hacker to run malicious code remotely on Office or Windows, making them a priority installation for IT staff, along with the critical patches. Microsoft lists these type of flaws as "remote code execution" and rates them based on how difficult they would be to exploit.
"It’s surprising that this month’s patch affects almost every Windows operating system," Andrew Storms, director of security operations for San Francisco-based vendor nCircle, said in a commentary. "That's kind of weird because newer OS versions are generally more secure."
