Three of the four critically rated bulletins that affect Microsoft Windows, Internet Explorer, Silverlight, Office, and Server Software could lead to remote code execution while the final critically rated bulletin could allow for privilege elevations. The less severe, important-rated bulletins affect Office, Server Software, and Windows and could lead to information disclosures and privilege escalations.
Qualsys Chief Technical Officer, Wolfgang Kandek told Threatpost in an email interview that he would prioritize the first bulletin on Patch Tuesday because it fixes a bug that could be exploited to perform a complete machine takeover in all versions of IE from 6-10.
Kandek also expressed concerns regarding the second bulletin, which will address critical vulnerabilities in Microsoft Silverlight on Windows and Mac OS X, because it is widely deployed on end-user machines to run media applications like Netflix.
The third bulletin will fix a vulnerability in Visio and the Microsoft Office Filter Pack. Kandek said he was puzzled by the fact that this fix recieved a critical rating, because exploitation would require that users open an infected file, and that he would be interested to see if this vulnerability’s attack vector ends up warranting the high-severity rating.
Lastly, Kandek noted that the fourth and final critically-rated bulletin arose from a problem in Sharepoint server.
The Patch Tuesday notification will go live, replacing the advanced bulletins, on Tuesday, March 13 at 1 PM EST.