Click for a hub of Extension resources related to the current COVID-19 situation.
COVID-19 Resources
Texas A&M AgriLife IT Security
Texas A&M AgriLife IT SecurityLatest IT news & tips to keep your computer safe

Advance notice of patches to be released by Microsoft for March – release date March 11

by

Microsoft has just provided their advance notice of the patches that will be released on Tuesday, March 11.  The details are available at – http://technet.microsoft.com/en-us/security/bulletin/ms14-mar

CURRENTLY (just in case MS pulls another fast one), there are five patches scheduled to be released. For workstation Operating Systems, two of the patches are designated as CRITICAL.  For Server Operating systems, only the second patch is designated as CRITICAL.

The first patch applies to all versions of Internet Explorer (6-11).  The second patch applies to all Workstation and Server Operating Systems with the exception of Itanium platform (Server 2003 installations on Itanium systems ARE still assigned a CRITICAL designation) and Server core ONLY installations.   The remaining patches are designated as IMPORTANT for workstation OSs and Server OSs.

Bulletins #1 and #2 could allow remote code execution if successfully exploited. It is currently unknown if the vulnerabilities have been disclosed publicly prior to March 6.  Bulletin #3 could allow an elevation of privilege if successfully exploited. Bulletins #4 and 5 would enable a bypass of security features if exploited.

Note: Bulletin #5 applies to Microsoft Silverlight version 5 only.

No recommendation can be provided at this time regarding the patch priority as no details are available regarding the likelihood of exploitation/the viability of exploit code.   Additional details will be provided on Tuesday after the patches have been released.

 Update March 10 7:20 a.m.

All indications are that the ActiveX patch being actively exploited is due to get patched on Tuesday.

http://www.computerworld.com/s/article/9246809/Microsoft_plans_to_patch_critical_under_attack_IE_bug_next_week?taxonomyId=17

Update March 11 2:15 p.m.

Microsoft has provided additional details on the patches that are being released for March.   In addition to the one publicly disclosed ActiveX vulnerability that was being actively exploited, the March patches include seventeen other privately reported vulnerabilities in Internet Explorer.  As the ActiveX vulnerability was already being exploited, it is recommended that the March patches be applied to workstations as soon as possible.  According to SANs, risk to compromise is classified as CRITICAL even for servers although Microsoft still classifies all the patches associated with Internet Explorer as being MODERATE risk for all server operating system installations.

For several server operating systems, the SANS site
https://isc.sans.edu/forums/diary/Microsoft+Patch+Tuesday+March+2014/17795  indicates March patch https://technet.microsoft.com/en-us/security/bulletin/ms14-013 IS assigned a CRITICAL designation, even though Microsoft indicates reliable exploit code would be difficult to develop.

Also released on March 11, is an update to Adobe Flash. The most current version of flash for Windows and Macintosh systems is 12.0.0.77. Details on the Adobe patch are available at http://helpx.adobe.com/security/products/flash-player/apsb14-08.html

All the above issues being the case, AND considering we have at least a couple of days of reduced activity, it is advised that the patches be applied to server systems when time allows. Preferably over the weekend of March 15-16.