Microsoft is hitting system administrators with a hefty workload this month, releasing nine security updates – double the amount of September’s Patch Tuesday – including three critical fixes.
Redmond said in its advance notice announcement that all three critical bulletins - covering Windows, Internet Explorer and the .NET framework - relate to remote code execution (RCE) vulnerabilities.
Five others are tagged as “important” while one is “moderate”.
In total, five bulletins fix flaws which could lead to remote code execution, three patch “elevation of privileges” and Bulletin 9, which relates to Microsoft Developer Tools, fixes a “security feature bypass” issue.
Ross Barrett, senior manager of security engineering at Rapid7, said the “critical” issue with Internet Explorer, which Bulletin 1 has been issued to fix, is probably “the most at risk for exploitation.”
“Microsoft is back in fine form this month with nine upcoming advisories affecting Internet Explorer, the entire Microsoft range of supported operating systems, plus Office, SharePoint Server and a very specific add on module to their development tools calls ‘ASP .NET MVC’,” he added.
“Behind the three critical, there are four issues marked as Important, enabling either remote code execution or elevation of privilege. Again, most Windows versions are affected, plus in one case, Office and SharePoint. These will be the second patching priority.”
Wolfgang Kandek, CTO at Qualys, agreed that Bulletin 1 is the most important for sysadmins as it affects all currently supported versions of Internet Explorer (IE 6-11) on all operating system including Windows RT.
“An attacker would craft a malicious webpage and attract traffic to the page, for example through Search Engine Poisoning or by using web sites already under her control,” he added in a blog post.
“Bulletin 6 is an update for Microsoft Office 2007 and 2010. Microsoft rates it as important, even though it provides RCE on the applications. We generally rate these bugs as critical and since attackers frequently focus on application level vulnerabilities you should apply bulletin #6 as soon as possible. Mac OS X users are also affected if they have Office 2011 installed, but we have not yet heard of attacks against Office on that platform.”
He added that Bulletin 2 fixes an issue most likely “in one the graphics or media libraries” in Windows, while Bulletin 5 deals with what is probably “a file format vulnerability in one of the included utilities.”