Patch Windows boxes NOW – unless you want to be owned by a web page or network packet

Here's a summary of the four "critical" patches this month; the top one is super critical or, if you will, Heartbleed critical:

• Secure Channel: This component of Windows provides things like SSL encryption, and allows a hacker to execute malicious code on a vulnerable system by sending specially crafted network packets to the machine (CVE-2014-6321). It affects all supported releases of Windows – from Server 2003 to Windows 8. The attacker does not have to be logged in. Luckily, the flaw has not (yet) been exploited in the wild, Microsoft says. The patch also adds some new TLS cipher suites.
• Windows OLE: Remote-code execution as the logged-in user if you trick a victim into opening a specially crafted web page in Internet Explorer (CVE-2014-6332). This flaw is not (yet) being exploited in the wild, but affects all supported versions of Windows.
• Internet Explorer: Again, remote-code execution as the logged-in user using a specially crafted web page (many CVEs). These flaws affect various supported versions of Internet Explorer. Some of the bugs merely leak information or allow an attacker to bypass security protections, namely ASLR.
• Windows XML Core Services: Remote-code execution as the logged-in user if you trick a victim into opening a specially crafted web page in Internet Explorer (CVE-2014-4118). "In all cases, however, an attacker would have no way to force users to visit such websites. Instead, an attacker would have to convince users to visit a website, typically by getting them to click a link in an email message or in an Instant Messenger request that takes users to the attacker's website," Microsoft notes.