The five critical bulletins fix remote code execution vulnerabilities in Microsoft Windows, Internet Explorer, Office, SQL Server, Server Software, Developer Tools, and Exchange, according to the security advisory. The remaining four important bulletins cover Microsoft Windows and Office and also include remote code execution flaws.
“Some of the updates this month will have far reaching impact and they include patches to new problems, updates to old problems and something that might cause you a little more work than you might have been anticipating this month”, commented Paul Henry, security and forensic analyst with Lumension.
Henry identified Bulletin 4 as the most important. “This affects all platforms of Windows and addresses an ActiveX component that’s redistributed in many places in Windows. It’s an issue that was previously patched and this patch cleans up the previous patch. It’s a very high priority update because it is native in Windows and impacts all Windows platforms”, he noted.
Wolfgang Kandek, chief technology officer at Qualys, believes that Bulletin 1 and 5 are more interesting. “Bulletin 1 is an update for Internet Explorer, and it is the third consecutive update for Internet Explorer in as many months. This new faster update frequency for IE is the fruit of the streamlining that Microsoft has done in their QA process, but it also illustrates that there continues to be no shortage of browser vulnerabilities”, he wrote.
“Bulletin 5 is an update for Exchange Server and will address the vulnerability caused by the Oracle component 'Outside in' which was first reported and addressed by Oracle in their July Critical Patch Update. Microsoft had previously provided a workaround for Exchange Server administrators that disabled use of the flawed component”, he added.
Andrew Storm, director of security with nCircle commented: “Microsoft will deliver one patch next week that applies only to XP, but I bet they wish they could end-of-life that code. It’s got to be expensive to continue patching all the old code in XP, but the user base is still so big they have to continue to support it.”
In addition, Adobe is releasing security updates on Tuesday for its Reader and Acrobat products.
The security updates will affect Reader X (10.1.3) and earlier 10.x version and 9.5.1 and earlier 9.x versions for Windows and Macs, as well as Acrobat X (10.1.3) and earlier 10.x versions and 9.5.1 and earlier 9.x versions for Windows and Macs. Adobe stressed that it is not aware of any exploits in the wild for these vulnerabilities.