Microsoft Patch Tuesday: Prioritisation

By Thomas Kristensen

On Tuesday 9th June 2010, Microsoft has released 10 bulletins. While we generally recommend private users and businesses to patch right away we are also well aware that businesses need to avoid unnecessary interruptions to daily operations and thus may need to prioritise their efforts.

This time it is more difficult than usual to choose because many of the security bulletins deserve a high priority.

Our first choice, though, would be to address MS10-035, which covers multiple vulnerabilities in all versions of IE and secondly MS10-033, covering vulnerabilities exploitable e.g. via Media Player.

These are both bulletins with an exploitability rating of 1, which means that reliable exploitation is likely, and they both cover some of the most prevalent programs on Windows systems.

The Office and Excel vulnerabilities covered by MS10-036 and MS10-038 are also important to address immediately. Many of vulnerabilities have received a 1 on the exploitability index and the products have a prevalence, which makes them attractive targets.

It is also worth noting that Microsoft will not be releasing MS10-036 patches for Office XP / 2002 products because this would require a major re-architecture effort. In our opinion, this essentially means that Office XP / 2002 products have reached End-of-Life now as a critical, exploitable vulnerability will remain unpatched.

MS10-034 should also apply smoothly as this sets the kill-bit for various vulnerable ActiveX controls.

The kernel vulnerabilities may also be of concern, in particular CVE-2010-1255 in MS10-032 as it has remote vectors (e.g. via certain versions of the Opera browser). Many are reluctant to apply kernel patches because these can cause complicated system malfunctions, but given the potential external vectors these should not be neglected.

MS10-034 should also apply smoothly as this sets the kill-bit for various vulnerable ActiveX controls.

The above mentioned bulletins would all pose a comparable risk to most corporate environments, whereas the remaining should be prioritised more individually based on the specific environment, how the vulnerable programs are exposed, and what the program is used for.

Secunia Advisories covering these vulnerabilities with individual ratings and impact assessments have been issued. Over the coming days, Secunia will also conduct in-depth analysis of selected vulnerabilities with a remote vector to ensure that our customers get as exact information as possible, including alternative remediation guidance.

Secunia customers have full access to the in-depth analysis of these vulnerabilities, and updated Secunia Advisories, from the customer area:

Private users can get up-to-date information on Secunia Advisories at:

Stay Secure
Thomas Kristensen