“Just because there are only five bulletins this month,” warns Ziv Mador, director of security research at Trustwave, “doesn’t mean we shouldn’t pay attention to them.” For forward planning, he notes that four of the five will require system restarts – and the fifth might, depending on what else is installed.
“We have the omni-present, critical IE bulletin with remote code execution,” notes Lamar Bailey, Tripwire’s director of security research and development. “This month it effects every version of IE from 6-10, so it automatically goes to the top of the ‘patch immediately’ list.” If left unpatched, explains Amol Sarwate, Qualys director of engineering on the Laws of Vulnerabilities blog, “this vulnerability can cause RCE (remote code execution) which implies that an attacker can take control of the victim computer if the victim browses to a malformed website using Internet Explorer (IE). Since the browser is a window to the internet, IE users should apply this RCE patch as soon as it is released.”
The IE bulletin is the sole ‘critical’ update this month. The rest are marked ‘important’.
Bulletin 5 is both interesting and confusing. It involves an old version of Office for Windows (Microsoft Office 2003 Service Pack 3) and the latest version of Office for Mac (Microsoft Office for Mac 2011). “There have been limited attacks using this vulnerability in the wild,” Paul Henry, a security and forensic analyst at Lumension, told Computerworld in an email. "Although it's not considered to be publicly known, it is being actively exploited to some extent.” But despite being actively exploited, it is only marked ‘important’. “This bug probably isn’t remotely exploitable,” comments Bailey; “it probably has to do with parsing a document type. This will be one to watch on Tuesday.”
The confusing element is what old Windows code (but not newer versions) and new Mac code (but not older versions) have in common. When asked by Computerworld, Andrew Storms, director of security operations at Tripwire, replied simply, “I have no idea.”
Bulletin 2 affects Windows from XP from SP3 and Server 2003 onwards, while Bulletins 3 and 4 affect Vista and Server 2008 onwards. They involve information disclosure, denial of service, and elevation of privilege respectively.