Microsoft Releases Windows, IE Critical Updates

Microsoft shipped Tuesday a total of six updates addressing 11 vulnerabilities. Two of the updates are rated important. The security release was the software maker's latest that falls on the second Tuesday of each month.

The most critical update, called MS12-027, is one that affects a diverse set of products, including Office, SQL Server, Biztalk, Commerce Server, Visual FoxPro, and Visual Basic. Experts say the patch should be installed immediately, because malware exploiting the vulnerability has already been used in attacks.

"IT security teams should get ready for an urgent but careful deployment," Andrew Storms, director of security operations for nCircle, said in a statement. "Because this bulletin affects such an extensive list of products, security teams will need to spend extra time testing the patch before deploying."

Nearly as critical is MS12-023, an update that fixes security flaws in all versions of Internet Explorer. Microsoft has given the vulnerabilities an Exploitability Index of 1, which means malware attacking the flaws is likely within the next 30 days. "Patching IE is one of the most important things a company can do to maintain a strong security posture," Tyler Reguly, technical manager of security research at nCircle, said.

The vulnerabilities addressed in both updates enable attackers to remotely execute code by having a victim open a malicious file sent by email or click on a link to a malicious Web site.

The remaining two critical updates, MS12-024 and MS12-025, fix flaws that leave Windows systems vulnerable to remote code execution. The same danger is avoided in Office 2007 SP2 by deploying one of the important patches.