Microsoft just published the preview for March's Patch Tuesday with five bulletins (two critical and three important) and there are two big priorities:
- Patch the Internet Explorer vulnerability addressed in Bulletin #1, as it covers the current 0-day that was discovered about three weeks ago. Microsoft has so far addressed it with a Fix-It in KB2934088, but this will be the permanent patch reaching a much larger audience.
- Windows XP is affected by all five updates, and there is really no reason to expect this picture to change; Windows XP will continue to be impacted by the majority of vulnerabilities found in the Windows ecosystem, but you will not be able to address the issues anymore. Windows XP is getting its penultimate update and is now very close (just over 30 days) to its declared end of of life date:
So you need a strategy for the XP machines remaining in your infrastructure. We are still seeing a significant number of XP machines in our scans, ranging from around 25% in our consumer oriented service BrowserCheck to under 20% in our entreprise oriented data from QualysGuard.
Back to the March bulletins: priority one should be the two critical bulletins: Bulletin #1 for all versions of Internet Explorer, starting with v6 all the way to v11 and bulletin #2 for Windows, affecting all Windows OS versions from XP to 2012, with the exception being WIndows RT. Bulletin #3 and #4 address important vulnerabilities in Windows, and Bulletin #5 will be for users of Silverlight on Mac and Windows.
Stay tuned for our coverage next week, when we get more details on the patches.