In the biggest one-day security update since February, Microsoft Corp. Tuesday issued nine bulletins that patched 14 vulnerabilities in Office, Internet Explorer (IE), and every edition of Windows. Eight of the fixes were pegged as critical, the company’s highest risk rating.
Faced with an overload of vulnerabilities — including some in components that Microsoft has patched in the past — researchers squabbled over which should get priority.
“I think six of these are equally important,” said Andrew Storms director of security operations at nCircle Network Security Inc.
“The GDI vulnerability is the most critical,” said Amol Sarwate, the manager of Qualys’ vulnerability research lab.
“MS07-042 affects everything,” said Don Leatham, the director of solutions and strategies at PatchLink Corp.
The only update that all three agreed should be moved to the top of the list was the one that patched a bug in Windows Graphics Rendering Engine (GDI). According to Microsoft’s MS07-046 advisory, the GDI bug not only affects Windows 2000, XP and 2003 Server, but a successful attack could give the hacker complete control of the PC.
“This affects a core Windows subsystem, and all versions except for Windows Vista,” said Sarwate. “Unlike most other vulnerabilities, this one doesn’t need an application, like Internet Explorer; all that’s needed is a [malformed] image file. The only good news here is that this does not affect Vista.”
As usual, Microsoft’s monthly updates have been posted to Microsoft Update and Windows Update services, and can also be retrieved through Windows Server Update Services (WSUS). The necessary files can also be downloaded directly from Microsoft’s Web site.