Only one of the bulletins is rated critical by Microsoft, which addresses a flaw that could result in remote code execution attacks for the newer operating systems – Windows Vista, Windows 7, and Windows 2008 Server R2.
The critical bulletin has an exploitability rating of 3, suggesting that it is not likely this patch will be used, commented Paul Henry, a security and forensic analyst at Lumension. All four patches will impact Windows platforms and will require a reboot, Henry added.
One of the important bulletins also fixes a flaw that could result in remote code execution. The other important bulletin plugs an elevation of privilege flaw, and the moderate bulletin plugs a hole that could result in denial of service attacks.
“November looks like it’s going to be an the upside down month for Microsoft. Of the four bulletins to be posted... only one affects XP and 2003. In a flip-flop from normal patches, the majority of the bulletins affect newer operating systems”, said Andrew Storms, director of security operations at nCircle.
Wolfgang Kandek, chief technology officer at Qualys, also found it curious that the patches are for the newer operating systems. “Interestingly the majority of bulletins only apply to these newer versions of Windows, and XP and 2003 users are only affected by bulletin three, which is rated important….Overall, this is a Patch Tuesday that will give a break to many IT administrators.”