The four critical bulletins affect Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server and software, as well as Microsoft developer tools. The two important bulletins affect Microsoft Office and Forefront access gateway. A total of 11 vulnerabilities are being plugged, according to the Microsoft advisory.
“Bulletin #4 has the potential to cause IT security teams some serious headaches because it covers Office, SQL Server, Biztalk, Commerce Server, Visual FoxPro and Visual Basic. Anytime a bulletin covers such a wide range of products, IT security teams have to pause and think hard about deployment. It also requires some rigorous patch testing”, obseved Andrew Storms, director of security operations at nCircle.
Wolfgang Kandek, chief technology officer with Qualys, agreed that Bulletin 4 will be “challenging” because it addresses a variety of applications. However, he stressed that Bulletin 1 should have the “highest priority” because it is a critical vulnerability “affecting all versions of Internet Exploer (6,7, 8,9) on respective platforms XP, 2003, Win7 and 2008 both 32 and 64 bit. Bulletin 2 is the second most critical and updates the Windows operating system, again encompassing all versions, both 64- and 32-bit.”
Paul Henry, security and forensic analyst for Lumension, said he was concerned about the critical issues that “seem to impact Windows from the older legacy XP platform that we have come to expect from current Windows 7 and Windows 2008 platforms, which is surprising because they have had the benefit of Microsoft’s secure coding initiatives.”