Microsoft released Tuesday one critical bulletin in a package of seven that comprised the company's first monthly patch release of the year.
Security experts disagreed as to which fix should get the highest priority. Wolfgang Kandek, chief technology officer for Qualys, recommended the patch for two vulnerabilities in Windows Media Player, while Symantec chose the Windows fix for a flaw that would run malware as soon as an Outlook user opened a Word or PowerPoint file.
Microsoft agreed with Kandek in rating the Media Player vulnerability critical. All the other bulletins were listed as important. The Player vulnerability could be exploited through an e-mail attachment or by hosting a malicious media file on a Web site, Kandek said.
Symantec gave a slightly higher priority to the vulnerability in Windows .NET, Microsoft's software framework. The flaw could be quickly exploited with a Word or PowerPoint file, making it particularly susceptible to attack via e-mail attachments, according to Symantec. Microsoft rated the patch important, but Kandek disagreed in giving the fix its second highest priority. "We consider vulnerabilities that only rely on a user opening a file critical enough to move them up in priority."
Another bulletin contained a fix for the so-called BEAST attack, first demonstrated in September at the Ekoparty security conference in Buenos Aires. The vulnerability makes it possible for an attacker who has infiltrated a Web server to decode and eavesdrop on data communications over an otherwise secure HTTPS connection.
The bulletin package also includes a patch for a new vulnerability category, called the "security feature bypass" flaw. The classification is for flaws that are not directly accessible, but can be tapped through other vulnerabilities.
Finally, security experts reminded Windows users not to forget the out-of-cycle emergency patch Microsoft released at the end of last year. The first patch of the year that was not part of Microsoft's scheduled release on the second Tuesday of each month fixed a flaw within the ASP.NET application framework. The vulnerability made if relatively easy to take down a Web site.