Another substantial Windows Patch Tuesday due tomorrow

According to Wolfgang Kandek, chief technology officer with Qualys, four of the bulletins have a rating of "critical" and affect Windows XP, Windows 2003 and Vista.

Once again, he said, Windows 7 and Windows Server 2008 R2 are less problematic and are not affected by three of the four critical vulnerabilities and have a downgraded severity of "Important" for the last one.

"Microsoft Office XP, 2003 and 2007 are affected by two bulletins, each carrying a severity of "Important", a pretty standard rating for common file format vulnerabilities, even though they allow the attacker to take control of the affected system", he noted

Kandek went on to say that he expects that some of the bulletins will address DLL Hijacking issues in Microsoft's own products, but it will be interesting to see if Microsoft will change its guidance for Hotfix KB2264107.

"Currently it is only at the advisory level and users have to make an active decision to get protection against DLL Hijacking in 3rd party applications", he explained.

Kandek said that, as with last month's updates, Windows XP SP2 users do not have any patches supplied to them, even though the majority of updates for XP SP3 most likely apply to their discontinued version of the OS as well.

"Windows XP SP2 users should upgrade to SP3 as quickly as possible", he advised.

Over at fellow IT security vendor Lumension, Don Leatham, the firm's senior director of solutions and strategy, said that IT teams can expect a lighter load with this month's Patch Tuesday.

"The Microsoft Security Bulletin Advance Notification shows nine new bulletins that will address a total of 13 vulnerabilities, with at least one specifically affecting Internet Information Services, so organisations that use Microsoft’s Web hosting solution will want to pay special attention to this particular bulletin", he said.

Leatham went on to say that this month shows the fruit of Microsoft's efforts to make their latest platforms and products more secure and should encourage organisations to continue to move away from the Windows XP and Windows Server 2003.

A simple comparison of impacted software in this notification shows clearly how older versions of Windows are essentially less secure, he said:

  • XP and Server 2003: 3 critical, 5 important
  • Vista and Server 2008: 2 critical, 3 important
  • Windows 7 and Server 2008 R2: 0 critical, and 3 important

"These results show that organisations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them", he said, adding that organisations stuck on Windows XP and Server 2003 need to take a hard look at the cost and risk factors associated with staying on these dated platforms."

"The IT community continues to see attacks moving to other platforms with two big announcements this week - the new Adobe PDF issue, being actively used by the bad guys in the wild and Mozilla releasing a large update", he said.

"So whilst Microsoft's bulletin might be considered light this month, given how critical the updates were in August, IT teams still need to be vigilant in reviewing previous months Microsoft patch deployments as well as all other vendor updates", he added.

What’s Hot on Infosecurity Magazine?