Microsoft is to release 12 bulletins next Tuesday, including five critical patches, to cover 57 vulnerabilities.
Covering critical flaws in Windows, Internet Explorer and Exchange Software and important-rated issues in Windows, Office, the .Net Framework and Microsoft Server Software, it follows the seven bulletins released in January and the emergency patch for Internet Explorer.
Ziv Mador, director of security research at Trustwave, said: “The advance notification of Patch Tuesday from Microsoft has 12 bulletins listed for this month. Not a small number by any means, but not completely unmanageable either.
“There will be six bulletins addressing remote code execution, four for elevation of privilege and two for denial-of-service. Two of the critical ones are in Internet Explorer, which can't be good; the other critical ones are in Windows and Microsoft Exchange 2007 and 2010.
“The two critical bulletins in Internet Explorer seem to impact all versions, which include 6, 7, 8, 9 and 10. This will probably make these two the most critical of all the critical patches this month.
“Everything else this month looks pretty run of the mill as far as Microsoft patches go; not to say they aren't important, just not as dramatic as critical patches for IE and Exchange. Also this month look for an update to the Microsoft Windows Malicious Software Removal Tool. We should see the full release from Microsoft on schedule next Tuesday.”
Andrew Storms, director of security operations for nCircle, said: “Coming off a rocky start to 2013, Microsoft's planning on sending out a tough love valentine next week with 12 security bulletins.
“The dirty dozen affects a wide range of operating system versions and includes Exchange Server, a critical business application. Over the past few months Microsoft has released a number of bug fixes for Oracle's Outside In technology used by Exchange Server, but none of the bugs fixed represented severe threats. Exchange Server bugs make a lot of people nervous; let's hope this month's Exchange patch is as dull as ditch water.
Internet Explorer patches are always a top priority and this month we're going to get two Internet Explorer bulletins. That's unusual because generally, when Microsoft patches IE, the patch is delivered as a single bulletin. The planned delivery of two separate IE bulletins has my ‘Spidey' senses on alert. I'm sure other IT security teams are wondering exactly what kind of IE valentine we're going to get.”
Ross Barrett, senior manager of security engineering at Rapid7, said: “The February 2013 Microsoft Patch Tuesday bulletin was released with 12 advisories and is bigger than average, which means security and IT teams will be busier than average. It's both good and bad news that the patches are mostly clustered on Windows Operating System, without dipping too much into Office or more esoteric specialty Microsoft products.
It's good because administrators probably don't have to worry about applying multiple patches for the same advisory to a single host; it's bad because an organisation with even the simplest deployment of Microsoft products will probably be hit by all of these advisories, meaning their desktop and server teams will be extra busy.”
Wolfgang Kandek, CTO of Qualys, said: “Today Microsoft published its Advance Notice for this month's Patch Tuesday. But more importantly Adobe released out-of-band a new version of its Flash Player that fixes two vulnerabilities that are already being exploited in the wild on both Windows and Mac OS X.
“Update your Flash installations as quickly as possible. Users of Google Chrome and Internet Explorer 10 will get their Flash update automatically from Google and Microsoft respectively.”