14 DAY TRIAL // The latest round of security updates from Microsoft is currently available via Windows Update for all users, with the company stressing the urgency to plug the security holes affecting Internet Explorer ahead of anything else. Earlier this week, the Redmond company started serving no less than six security bulletins as a part of its routine monthly security update cycle. The updates are designed to resolve a total of 12 vulnerabilities spanning across Windows (including Windows Vista and Windows XP), Internet Explorer (IE), Windows Server and Microsoft Office.
Users that have already upgraded to Windows 7 following general availability on October 22nd, 2009, will be happy to know that they needn’t apply any of the Windows patches offered. However, they’re not exactly out of the woods when it comes down to the December 2009 Security Bulletin Release. In fact, this month Microsoft patched several vulnerabilities in Internet Explorer, including in IE8 running on Windows 7 RTM.
“As always, it’s recommended that customers deploy all security updates as soon as possible. Of the bulletins released this month, customers should prioritize and deploy the cumulative IE bulletin, MS09-072, given its Critical severity rating, Exploitability Index rating of 1 (“Consistent Exploit Code Likely”) and the existence of publicly available Proof of Concept (PoC) code. Also of note, this cumulative update addresses the browser vulnerability announced in Security Advisory 977981. Customers may refer to the Microsoft Exploitability Index for additional guidance regarding the prioritization and deployment of the bulletins,” revealed Jerry Bryant, senior security program manager lead, Microsoft, for Softpedia.
Only three of the six security bulletins feature a maximum severity rating of Critical. There is, of course, the Internet Explorer patch package, but also the update for the vulnerability in Internet Authentication Service, and one for Office Project. Bryant offered a more comprehensive perspective over this month’s security updates:
“- MS09-069 (Maximum severity rating of Important): This update resolves one privately reported vulnerability in Windows which could allow denial of service. This update received a 3 rating from Microsoft’s Exploitability Index. - MS09-070 (Maximum severity rating of Important): This update resolves two privately reported vulnerabilities in Windows which could allow remote code execution; however, an attacker would need to be an authenticated user in order to exploit either of these vulnerabilities. This update received a 1 rating from Microsoft’s Exploitability Index. - MS09-071 (Maximum severity rating of Critical): This update resolves two privately reported vulnerabilities in Windows which could allow remote code execution. This update received a 2 rating from Microsoft’s Exploitability Index. - MS09-072 (Maximum severity rating of Critical): This update resolves four privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer which could allow remote code execution. This update received a 1 rating from Microsoft’s Exploitability Index. - MS09-073 (Maximum severity rating of Critical): This update resolves one privately reported vulnerability in Office which could allow remote code execution if a user opens a specially crafted Project file. This update received a 2 rating from Microsoft’s Exploitability Index. - MS09-074 (Maximum severity rating of Important): This update resolves one privately reported vulnerability in Office which could allow remote code execution. This update received a 2 rating from Microsoft’s Exploitability Index.”