Six of the Security Bulletins are rated critical; five are rated important. Microsoft did not include a fix for a JScript vulnerability that the company mentioned in its pre-patch guidance last week.
The affected software includes WebDAV Mini-Redirector, Object Linking and Embedding (OLE) Automation, Microsoft Word, Internet Explorer, Microsoft Office Publisher, and Microsoft Office. The OLE and Word vulnerabilities affect both Microsoft's Windows and Mac customers.
Components with important vulnerabilities include Active Directory/Active Directory Application Mode, Transmission Control Protocol/Internet Protocol (TCP/IP), Internet Information Services (IIS), and Microsoft Works File Converter.
Symantec senior research manager Ben Greenbaum observed that Tuesday's round of fixes points to the increasing use of trusted sites to distribute malware. "While the batch of critical vulnerabilities all require some sort of user interaction to exploit, the interaction can be as simple as visiting a trusted Web site that has first been exploited by an attacker," he said in an e-mail. "As consumers and enterprises become more savvy to security risks, attackers are leveraging alternative means to distribute malware through these trusted sites in addition to distributing via an attachment or random link in an e-mail."
"Six of the eleven are client-side vulnerabilities," said Eric Schultze, chief technology officer of Shavlik Technologies. "So if I open a malicious document or visit a malicious Web site, then I'm hacked. Those are always less interesting for me if I'm the attacker because I have to wait for someone to visit my site or open my document."
Security bulletinsMS08-005 and MS08-006 relate to Microsoft's IIS Web server and Schultze says that taken together, these two vulnerabilities are more significant than Microsoft suggests. "Microsoft rates them important; I rate them critical," he said. "They allow me as the attacker to break onto your Web server and take complete control of it."
Don Leatham, director of solutions and strategy at Lumension, said the Internet Explorer fix should be dealt with immediately. "We're definitely encouraging our customers at getting MS08-010 out as soon as possible," he said. "That looks like the one that has the most downside if some exploits were to come out quickly. It affects IE6 and IE7, which covers a lot of the browsers being used in a lot of organizations."
"It was a surprise seeing such a large release on the heels of such a small release in January," said Jonathan Bitle, director of technical account management for Qualys. "After last month, people had a nice break. This just highlights the fact that organizations really can't rest in terms of security."
Indeed, the absence of any fix for a high-profile Excel vulnerability suggests than even the most up-to-date systems will continue to have holes.