Microsoft will release five patches next week, with two rated as critical.
The two critical patches both fix remote code execution flaws in Windows and Internet Explorer, while the three important-rated patches fix elevation of privilege and security feature bypass vulnerabilities in Windows and Silverlight.
Ross Barrett, senior manager of security engineering at Rapid7, said that this continues the light trend of 2014 patch Tuesdays. “We only see two issues that are critical/remote code execution, one of which is the usual IE, the other is an Operating System issue which affects most versions of Windows from XP up to 8.1/2012r2. These two are where we should focus our patching efforts,” he said.
“Of the remaining issues, one is an important privilege issue, probably going to be a kernel or kernel driver patch. Never something to ignore but less important than a critical/remote issue.”
Wolfgang Kandek, CTO, Qualys, said that Windows XP is affected by all five updates, and it will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem.
Tyler Reguly, manager of security research at Tripwire, said: “Silverlight is patched this month; while we don’t see it listed in bulletins very often it does come up from time to time. Given the limited adoption of Silverlight and the implied support Microsoft gave Flash when they bundled it in IE 11, it’s surprising that Silverlight has not been shelved yet.
“In a world filled with so many web technologies, vendors could better serve the public by simply limiting choice and removing dead weight. With the death clock moving one step closer to midnight on Windows XP, it’s surprising to see so few XP related bulletins. You have to wonder… is Microsoft purposely slowing down on Windows XP fixes or are attackers stockpiling them?”