The Valentine's Day 2012 edition of Patch Tuesday is upon us, and Microsoft has come forward with details on the nine bulletins it previewed last week.
The news comes as Oracle patched 14 Java vulnerabilities.
Although Lumension security and forensic analyst Paul Henry called it a "pretty sweet Valentine's Day", given the relatively light patch load total for the month, additional patches from Adobe may spoil the mood for others.
Four of Microsoft's nine security bulletins are deemed critical. The most important, Henry said, are the two bulletins that have been publicly disclosed. One is susceptible to remote code execution in Windows, while the other addresses a similar vulnerability in Silverlight and the .NET Framework.
Beyond that, Henry believes the two patches deemed "important" should receive higher priority because they have also been publicly disclosed. Both are susceptible to remote code execution in Windows, one through the Colour Control Panel and the other through Indeo Codec.
However, given the recent spike in browser-based attacks, Qualys CTO Wolfgang Kandek says the patch for four privately discovered vulnerabilities in Internet Explorer, MS12-110, should receive the most attention.
"We have seen how quickly attackers can react to new vulnerabilities when exploits for MS12-004 appeared within 2 weeks of its release on attack sites," Kandek said. "So while none of the vulnerabilities in MS12-010 were publicly known, you should install this fix as quickly as possible."
Although it surpassed the seven bulletins released last month, the nine patches issued today is a low for the month of February since 2009. That's a sign that a focus on security may be paying off for Redmond, Henry said.
However, a happy Valentine's Day for Microsoft doesn't necessarily mean the same for the IT department. Citing Oracle's concurrent release of patches for 14 Java vulnerabilities, which have been targeted particularly frequently of late, Henry says some support teams may have their hands full.
"The light patch load from Microsoft does not mean IT can sit back and relax however," Henry says. "A significant patch update from Oracle came out recently and, as always, threats targeting Java must be addressed, as currently it is the bad guys' most popular attack vector."
Similarly, Adobe released five security bulletins today as well. Four of the patches, specifically those addressing vulnerabilities in Shockwave Player, Flash Media Player Server, Flash Player and Photoshop, were deemed critical, while another targeting vulnerabilities in Robohelp was rated important.