Windows users will be busy updating their machines this month. Microsoft's second Patch Tuesday of 2008 resulted in whopping 11 updates -- six critical and five important -- making this month's batch the biggest update load since August of last year.
The six critical updates patched numerous vulnerabilities in applications that had tremendous global usage, including WebDAV Mini-Redirector, OLE Automation, Microsoft Word, Internet Explorer, Microsoft Office and Microsoft Office Publisher. All critical patches protects users' machines from remote exploitation that could allow an attacker to take complete control or shut down an affected system.
While this month's round of patches fixed numerous serious errors, security researchers contend that in particular the most severe vulnerability fixed today was in the WebDAV Minidirector, a default Windows program installed automatically on user PCs. Unlike other critical vulnerabilities, a remote attack could be executed with elevated privileges, regardless of the end users' authentication status. The attacker could then infiltrate the affected machine to install programs, view, change or delete data or create new accounts.
"No matter who you're logged in as, the attacker will have system privileges on your machine," said Ben Greenbaum, senior research manager for Symantec Security Response.
In addition, Greenbaum underscored the seriousness of the cumulative Internet Explorer updates, which resolved a total of four vulnerabilities. The most serious of these errors could allow a remote attacker to execute malicious code by enticing users to view a specially crafted Web page using IE. Users with diminished privileged accounts or those with fewer system rights will likely be less affected than those accessing the browser with administrative privileges.
The popular browser has become an increasingly susceptible vector to exploits targeting Web 2.0, experts say. Greenbaum said that client side vulnerabilities have "gone through the roof" as applications continually become the focus of attackers' activities and as social engineering tricks become progressively more sophisticated.
"It's the way attackers are installing bot software to build a botnet," said Greenbaum.
The five patches given an "important" rating fixed holes in widespread applications that include Active Directory, Windows TCP/IP, Internet Information Services and Microsoft Works File Converter. Two of these patches for IIS and Microsoft Works File Converter fixed vulnerabilities that could be remotely exploited with malicious code.
The heavy update load came in direct contrast to January's relatively light release which contained just two fixes. Security experts maintain that Microsoft tends to alternate between heavy and light security bulletins. "We were somewhat due for something a little heavier," said Greenbaum.
Experts advise that users install all patches as soon as possible, due to the severe nature of the vulnerabilities. In addition, researchers recommend that users run as many programs as possible with decreased privileges, so as not to transfer those same privileges to potential attackers. "You should not be using IE on an administrator level account," said Greenbaum.
The security bulletin release contained one less update than expected. The Advanced Notification bulletin published Thursday of last week originally projected a total of 12 updates. A disclaimer on Microsoft's Web site noted that as last minute research is conducted, the bulletins may be pulled if researchers feel there "is an issue" with the update or if it fails to meet high enough quality protection standards.