Nested in five security bulleting clusters are patches that address a total 15 vulnerabilities in MS-Office and Windows, all of which are rated 'important' and affect Office 2010, Excel, Office Groove 2007 and SharePoint Workspace 2010.
According to Microsoft, only one of the updates needs a system restart. By comparison, Infosecurity notes, last month's Patch Tuesday cover a total of 13 security bulletins that addressed 22 vulnerabilities.
Commenting on the planned updates – which will be released at 6pm UK time tomorrow – Marcus J. Carey, a security reseacher and community manager with Rapid7, the security and pen testing specialist, said that its easy for organisations to gain a false sense of security during a light patch month.
“Sometimes an attitude of complacency towards non-critical vulnerabilities is evident, but while there are no 'critical' bulletins this month, organisations should not downplay the vulnerabilities being addressed. I know of organisations that have 30-day patch requirements for 'critical' – which is too long in my opinion – and up to three months to patch 'important and below' ”, he said.
According to Carey, whilst 'important' vulnerabilities may not give attackers the full root privileges generally associated with 'critical' vulnerabilities, an attacker can use an 'important' rated vulnerability to achieve an initial compromise and then escalate privileges by other means.
“By using an 'important' vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organisations understand that all five of these 'important' bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly”, he explained.
Over at cloud security specialist Qualys, meanwhile, Amol Sarwate, the firm's vulnerability labs manager, said that this is the first Patch Tuesday in recent times that does not have a single critical update. It is also, he noted, a relatively small update and is consistent to the cycle of smaller patches every other month.
“Top priority should be given to remote code execution Microsoft Office patches that affect Excel 2003 through Excel 2010 and Office 2003 through Office 2010. Another high priority is the Windows patch that fixes a remote code execution flaw in Windows XP, Windows Vista, Windows 7, Windows 2003 and Windows 2008”, he said.
Other patches, he went on to say, can be evaluated at a relatively lower urgency because attackers already need lower privilege access to the target system to execute the exploit. This, he explained, includes the Windows 2003/2008 and SharePoint Server 2007 security update.
The good news is that Sarwate expects a smooth deployment of these patches by IT departments who are already used to the Microsoft Patch Tuesday cycles.