It is not uncommon, and has become expected, for a light patch Tuesday to follow a heavy patch Tuesday release from Microsoft. Last month, Microsoft released a hefty load of patches with 10 security bulletins addressing 34 vulnerabilities.
The security bulletin that administrators should address first on their machines is MS10-042. This security bulletin addresses a currently exploited vulnerability in the wild affecting the Windows Help system. Earlier this month, this vulnerability and exploit code was released by a security researcher prompting Microsoft to release Security Advisory 2219475. For any zero day exploit, administrators should deploy the patch as soon as possible.
A second Security Advisory, 2028859, is being closed out with the release of Security Bulletin MS10-043. There are no current exploits being reported from Microsoft against this vulnerability although the vulnerability was publicly disclosed. The last two bulletins affect Microsoft Office programs and each can lead to remote code execution on an affected machine.
This may seem like a light patch month in the amount of effort required by administrators to protect their networks, but all administrators could have quite a work load as Windows 2000 and Windows XP SP2 have officially reached end of life support. These operating systems will no longer be supported after today’s patch Tuesday. Microsoft will not be supplying new Security Bulletins for these operating systems going forward.
It is important for administrators to use this light patch month to identify these systems on their network and upgrade the machines to a supported operatingsystem or service pack level. Unlike patching, deploying new operating systems or service packs can be quite an undertaking as it requires plenty of time and effort.
* Jason Miller is data and security team manager, Shavlik Technologies.