"Three of the bulletins impact Vista," said Eric Schultze, chief security architect, of St. Paul, Minn.-based Shavlik Technologies. "That's not a really good track record for an operating system that Microsoft thought was going to secure the world."
Pointing to Windows Vista patches this month and in previous months, Schultze said, "I don't think Vista has had quite the impact that Microsoft hoped it would in staving off the need to patch your OS."
Of the six security updates published Tuesday, four are rated "critical" and two are rated "important." "This is a little larger this month than average," said Schultze. "Obviously, the big news goes toward bulletin 057, which is for Internet Explorer. The Internet Explorer patch goes toward addressing a lot of previously known public vulnerabilities. So you'll want to patch the IE issue pretty quickly for all of your Internet browsing machines."
"Today's Microsoft patches emphasize the need for proactive browser protection and the risk of surfing the Web unprotected," said Dave Marcus, security research and communications manager at McAfee Avert Labs, in an e-mailed statement. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply clicks a malicious Web link, a favorite attack method among cybercriminals. Users need to be more careful than ever when surfing the Internet."
Though bulletin 058 is only rated "important" -- the "critical" designation is typically reserved for flaws that allow remote code execution -- Schultze nonetheless said the IE fix should be dealt with immediately.
"The other big one that I think it really critical to do is bulletin 058, which Microsoft calls the RPC denial of service," said Schultze, who explained that it could be used to conduct denial of service attacks. "This one will be really critical for network administrators and corporations to protect all of their assets on their internal network... from disgruntled employees."
Schultze said there is no exploit currently circulating for this bug but he expects there will be one within a week.
The other critical bulletins address flaws in Kodak Image Viewer, Outlook Express and Windows Mail, and Microsoft Word that could allow remote code execution. Bulletin 059, rated "important," addresses a vulnerability found that impacts Windows SharePoint Services 3.0 and Office SharePoint Server 2007.
Microsoft had expected to release seven updates Tuesday, as stated last Thursday through its Advance Notification Service (ANS).
Tami Gallupe, Microsoft Security Response Center release manager, explained in a blog post, "As previously communicated, the ANS is always subject to change. We decided to remove one of the updates from the release schedule due to a quality control issue, so we can resolve that issue prior to releasing the update to customers."
[Interop ITX 2017] State Of DevOps ReportThe DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.