Sysadmins have some serious updating to do following Microsoft's latest set of Patch Tuesday releases. The company has fixed critical flaws in a number of products in Microsoft' largest set of security patches for some months.
The eight updates fix a number of well-known problems in the company's software, including vulnerabilities in Excel and the WordPad text converter that have been exploited by attackers in a small number of online attacks. A few other known bugs have also been fixed, including some issues Internet Explorer that could be used to pull off a so-called "carpet-bombing" attack, and Windows flaws that could give attackers extra privileges on a Windows machine.
Five of the updates are rated critical by Microsoft, meaning they fix flaws that could be exploited by attackers to run unauthorised software on a computer.
Systems administrators should probably patch the Excel and WordPad bugs first, said Eric Schultze, the chief technology officer with Shavlik Technologies. "There are known issues out here, and why flirt with danger," he said. The patch for Internet Explorer and another critical fix for Microsoft's DirectX multimedia software should also be given top priority, he added. MS09-013, an HTTP patch has also been rated critical.
Microsoft also issued a fix for a long-standing issue that could allow an attacker to get unauthorised privileges on a computer. This kind of attack, called "token kidnapping," was first reported more than a year ago by Cesar Cerrudo, the CEO of security research firm Argeniss. A token kidnapping attack could be very dangerous on servers that allow users to upload code - web servers used by a hosting provider, for example - because it could give users administrative control over the entire system, letting them control other users' websites.
"If you allow people to upload code to the web server, then you have got to get that one fixed right away," Schultze said.
The carpet-bombing patches are also interesting. Last year, security researcher Nitesh Dhanjani showed how Apple's Safari browser could litter a victim's desktop with downloaded programs. Another researcher soon found a way to combine this behavior with some flaws in Windows and Internet Explorer in order to run unauthorised software on a victim's PC. Apple patched the Safari part of the attack last year, and Microsoft has now followed suit and fixed the underlying Windows and IE issues, meaning that even if attackers found some other way to place software on a victim's machine, the carpet-bomb attack would no longer work.
Microsoft administrators may be busy with today's patches, but for some, patching is only beginning. Oracle is also set to release a major update, fixing 43 bugs in its database, application server and other products.