Valentine's Day Patch Tuesday: Microsoft to issue 9 patches, 4 critical

Microsoft Thursday said that the second Patch Tuesday of 2012 will see nine security bulletins, four of which were deemed critical.

Three of the four critical bulletins address vulnerabilities in Windows, one of which also targets an Internet Explorer flaw that Wolfgang Kandek, CTO of Qualys, says should be treated with the "highest priority." This is because browser-based vulnerabilities have been exposed more quickly of late than those for legacy software, Kandek says.

The fourth critical bulletin targets the .NET framework and Silverlight. As for the remaining bulletins, all five are rated "important." Four address vulnerabilities in Windows while another resolves an issue with Office and Server Software.

With the release, Microsoft will exceed the seven bulletins issued last month, as well as nearly tripling the number of vulnerabilities addressed, from eight in January to 21 this month.

RELATED: Microsoft patch blows 'perfect game' but sends important message

However, when the trends of the past few years are taken into account, the second Patch Tuesday of 2012 is a sign of continued progress for Microsoft security. Paul Henry, security and forensic analyst at Lumension, called this Patch Tuesday a "pretty sweet Valentine's day" for the IT professionals responsible for implementing the bulletins, especially when compared to the last two years. Microsoft sent 12 patches and addressed 22 vulnerabilities in February 2011, a year after issuing 13 bulletins that addressed 26 vulnerabilities.

Especially coming off a similarly light January Patch Tuesday, in which seven bulletins were issued but just eight vulnerabilities were addressed, Henry says there are signs of optimism for Microsoft security.

"We've had two fairly light patching periods in a row, with just seven from Microsoft last month," Henry says. "Clearly, the company's renewed focus is paying off."

Tuesday's upcoming patch will bring the total number of security bulletins in 2012 to 16. In comparison, Microsoft had issued 14 combined patches in the first two months of 2011, following a light, two-patch month in January 2011.

Despite the slightly higher total in overall bulletins compared to the same time last year, Henry has said security improvements in updated versions of Microsoft products have been evident in the continued decline in security patches. In 2011, Microsoft issued 100 patches, down from 106 the year prior. The company also saw its lowest level of bulletins rated critical in 2011, at 32, since it began issuing them monthly in 2004.

Colin Neagle covers Microsoft security and network management for Network World. Keep up with his blog: Rated Critical, follow him on Twitter: @ntwrkwrldneagle.

Read more about software in Network World's Software section.

Join the CSO newsletter!

Error: Please check your email address.

More about LumensionMicrosoftQualys

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Colin Neagle

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place