Miller saw two choices for Microsoft's customers: Either postpone patching some of the vulnerabilities or separate the updates into batches that can be rolled out in stages. "This month, they will either have to throw out their normal procedures, or extend their patching cycle by taking them in bunches," said Miller.
Andrew Storms, director of security operations at nCircle Network Security, warned administrators not to do the former. "Despite the number of bulletins and the workload, it's going to be important that companies use the same diligence as always," said Storms. "That's what is going to win the game for everyone."
Given the number of updates that need to be applied, it was no surprise that Miller, Kandek and Storms each had their own recommendations on what patches to roll out pronto.
"The IE update is the most important," said Kandek, talking about MS09-054, which fixes four critical flaws in the popular browser. "That's what people use. And applying the patch immediately should not break anything."
He also put the GDI+ update at the top of his list, as did Miller. "IE and GDI should be patched first, just because of the huge target base," reasoned Miller. "IE is the richest target.... All hackers need is a malicious site to take advantage of the vulnerabilities."
Storms, on the other hand, suggested people deploy MS09-050 and MS09-053 as soon as possible: Those updates fix flaws Microsoft revealed more than a month ago in SMB (Server Message Block) 2, a Microsoft-made network file- and print-sharing protocol, and in the FTP server included with older editions of the Internet Information Services (IIS) Web server.
"I would put the two items in the public domain at the top of the list," said Storms. "And then MS09-051 and the IE updates, the latter because those kind of client-side bugs get a lot of attention from attackers."
MS09-051 patches a pair of vulnerabilities in Windows Media's codecs that could easily be exploited, said Storms, by hackers via "drive-by" attacks launched from malicious or hijacked legitimate Web sites.
"It's going to be tough for administrators to do their research this month," said Miller. "I can see some people just doing the ones as they see fit."
This month's 13 security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.