Paul Henry, security and forensic analyst at Lumension, noted that the nine bulletins are more than double the number issued last July, although Microsoft is on par with 2011 in terms of total bulletins to date.
“Looking at the bulletins, one of the first things that jumps out is that these really impact the entire family of products, from XP all the way to 2008. This is really a weird mix of patches, impacting both legacy and current generation software with critical issues”, Henry commented.
On the agenda is a fix for the zero-day vulnerability in Microsoft XML Core Services, which has been the target of increasing attacks. In June, Microsoft issued a Fix It solution to block attacks exploiting the flaw.
However, Microsoft did not make clear in its July pre-release advisory that a patch would be issued for the zero-day flaw. After comments from a number of researchers, including Henry and Andrew Storm with nCircle, as well as media inquiries, Microsoft confirmed that it was indeed including a patch for the hole.
“It’s really good news that Microsoft is going to patch the XML core bug. The exploit for this bug has been included in the several popular toolkits, and attacks have been seen in the wild. IT security teams will definitely breathe a little easier knowing that a patch will be available tomorrow”, Storm commented.
Also teed up for Tuesday is a fix for a critical hole in Internet Explorer 9, a surprise move for a number of security researchers.
“Looks like we are going to get some unanticipated IE fireworks this month. Usually, Microsoft patches IE every other month, and we just got a cumulative update in June. That's why it's so surprising to see that IE9, the 'most secure' version of IE, will be patched next week. It's pretty safe to say this bulletin will patch something pretty serious”, said Storm.
Surprise was a reaction shared by Wolfgang Kandek, CTO with Qualys. “Bulletin 2 is for Internet Explorer (IE), and is a bit of a surprise as it breaks the usual cycle of supplying an update for IE every two months. The bulletin only applies to IE9 and is thus limited to Vista and above.”
Kandek advised users to make Bulletin 1 their “highest priority” because it affects all versions of Windows and is expected to address the XML vulnerability. Bulletin 3 is critical for all desktop operating systems, while for others it is rated moderate, he said.
“From the remaining bulletins all ranked ‘important’, we recommend paying attention to bulletin 4 which affects all versions of Office for Windows. It is a remote code execution vulnerability and is ranked 'important' because it requires the targeted user to open a malicious file. We typically consider 'important' bulletins for Office as almost the same severity level as ‘critical’; after all these document-based attack campaigns are usually quite successful in convincing at least a subset of end users to open the malicious document”, Kandek explained.
“Bulletin 6 is a bit curious. It is for a remote code execution vulnerability and applies to all versions of Windows, but it is rated only 'important'. It will be interesting to see what kind of mitigating circumstances made Microsoft come to that rating. Users of the latest version of Microsoft Office for Mac OS X should keep an eye on bulletin 9 and apply it as soon as possible”, Kandek added.