IT managers and techs may want to reschedule any plans they had for fun in the sun for the rest of the week.
In its monthly Patch Tuesday release, Microsoft issued the second-largest bunch of fixes this year -- patching vulnerabilities that will affect anyone using Windows, according to Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.
Microsoft released nine security bulletins, fixing a total of 14 vulnerabilities. Eight of the bugs are critical; four are rated important, which is the next rung down on the risk scale; and two are rated moderate. The fixes address flaws in Windows, Windows Media Player, Windows Gadgets, Office, Excel, Internet Explorer, Visual Basic, Virtual Sever, and Virtual PC.
"Today was the biggest patch day in the last five or six months," said Sarwate, noting that the patches affect three or four core components. "We haven't seen this many critical patches since February. And we have the largest amount of applications affected. Anyone using Windows will be impacted by this."
Symantec Security Response rated the Cumulative Security Update for Internet Explorer as the most critical since two of the vulnerabilities affect Internet Explorer version 6 and version 7 on Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. A successful exploit, which would most likely be delivered via a malicious Web page, could enable a hacker to remotely install malicious code.
Symantec researchers also noted the vulnerability being patched in the Windows Graphical Device Interface (GDI), which is designed to enable applications to use graphics and formatted text. The bug affects Microsoft Windows 2000, Windows XP, and Server 2003.
The client-side flaw, they reported, is in the GDI graphics rendering engine library. It could be triggered by a malicious Windows Metafile. The bug could be exploited by a malicious Web page or an html e-mail, and it would allow an attacker to install malicious code on the victim machine.
Researchers at McAfee noted that this month's batch of patches highlight a new problem -- using malicious RSS feeds to attack Windows Vista.
One of the nine bulletins released today reported that an attacker could remotely run code on a system if a user subscribes to a malicious RSS feed in the Feed Headlines Gadget or adds a malicious contacts file in the Contacts Gadget or clicks on a malicious link in the Weather Gadget. Microsoft noted that this is an important security update for all supported editions of Windows Vista.
"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," said Dave Marcus, security research at McAfee Avert Labs. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."
Microsoft's other mega batch of patches came in February when the company fixed 20 vulnerabilities with 12 patches.