Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

Summary: Microsoft plans to issue five 'important' bulletins to fix flaws that could lead to code execution and privilege escalation attacks.

SHARE:

Microsoft plans to ship five security bulletins next Tuesday with fixes for serious security vulnerabilities that could lead to remote code execution attacks.

The updates, all rated "important," will provide fixes for security holes in the Microsoft Windows operating system, the Microsoft Office productivity suite and the Microsoft Server Software.

According to an advance notice issued by Redmond, the flaws could cause code execution of elevation of privilege attacks.  At least one of the bulletins will require a restart after installation.

The Windows OS updates will apply to all versions of the operating system, including the newest Windows 7 and Windows Server 2008 R2.

Despite the light Patch Tuesday and the absence of "critical" bulletins, Rapid7 security researcher Marcus Carey is urging IT administrators and Windows users to avoid downplaying this batch of patches.

“It's easy for organizations to gain a false sense of security during a light patch month and sometimes an attitude of complacency towards non-critical vulnerabilities is evident, but while there are no “critical” bulletins this month, organizations should not downplay the vulnerabilities being addressed. I know of organizations that have 30 day patch requirements for “critical” – which is too long in my opinion – and up to three months to patch “important” and below," Carey said.

While “important” vulnerabilities may not give attackers the full root privileges generally associated with “critical” vulnerabilities, Carey warns that an attacker can use an “important”-rated vulnerability to achieve an initial compromise and then escalate privileges by other means.

"By using an “important” vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organizations understand that all five of these "important" bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly," he added.

Topics: Collaboration, Microsoft, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • Critical means root access?

    I thought critical meant code execution. There have been plenty of non "root" vulnerabilities given a critical rating. In fact the majority of them are non "root" vulnerabilities.
    ye
  • RE: Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

    let me say: windows ThinPc has done flawless job on this dell gx270. you be fool to miss IE9 & Aero, plus all other -=7=- stuff that old pent IV can . old dog, new trick. updates too from microsoft website o/s download. FREE.

    drashek md
    VONDRASHEK9
  • RE: Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

    The bulletins (not the patches) got released early. see http://isc.sans.edu
    pialert
  • RE: Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

    In all the years I've been getting automatic updates from MS for Windows (all versions thru Vista) not ONCE has one of them been rated "critical." It seems "important" is the highest rating we peons can be allowed. What, they don't want to scare us? Frankly, I'd rather know. I think they just re-rate the "critical" updates as "important" for the masses.
    flboffin
    • RE: Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

      @flboffin <br>you might want to review your system updates and your configs. your reported lack of critical updates is indicative of either outright error or misunderstanding.

      flboffin - you be correct - i took the time to check my system... sure enough 'critical' makes no appearance.
      methinks ZDNet is in fact being self-serving by applying said term to the updates, given that MS doesn't. surely some of the updates *could* be considered critical - without playing with semantics on either side.
      BitBanger!USA
      • RE: Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

        @BitBanger!USA I don't think so. I've seen a number of updates that were listed as "critical" in ZDNet blogs, but in my system the same update, with the same KB-number, was rated only as "important." Many of these were "Security Updates."
        flboffin
  • RE: Patch Tuesday heads-up: Microsoft readies 5 'important' security updates

    Thanks MSFT, Apple take note, this is how smart companies handle security.
    wuboyblue