Microsoft today patched 12 vulnerabilities in Windows, Office and Internet Explorer (IE), including three critical bugs in the company's newest browser, IE8.
Of the 12 flaws fixed in Tuesday's six security updates, seven were rated "critical," the highest severity ranking in Microsoft's four-step scoring system. Four of the remaining flaws were pegged as "important," one step lower on the scale, while the final vulnerability was labeled "moderate."
Security researchers unanimously voted MS09-072, the five-patch update for IE, as the one that demands immediate attention.
"That's certainly the one to watch," said Andrew Storms, the director of security operations at nCircle Network Security. "You can't focus enough attention on the IE update. It trumps the bunch."
Richie Lai, the director of vulnerability research at security company Qualys, echoed Storms. "MS09-072 affects IE, which is a big attack surface," said Lai, "and the vulnerabilities are primed to be exploited by classic drive-by attacks."
"Definitely take a look at that one," chimed in Jason Miller, the security and data team manager for patch management vendor Shavlik Technologies. "Browser attacks are the most prevalent of all attacks."
One of the five fixes included in the IE update addressed the zero-day vulnerability that Microsoft confirmed last month after sample attack code that exploited a flaw in IE's layout parser went public.
Storms applauded Microsoft's speed in quashing the bug. "That was record time for Microsoft, to patch in just two weeks," he said, adding that it usually takes the company a month or more to ready a fix. "The holiday online shopping season had to increase the pressure to patch, but then again, it looks like Microsoft already knew about the bug," said Storms, referring to the credit that Microsoft gave to VeriSign iDefense for reporting the flaw.
But the big news today, said Storms, Lai and Miller, was the fact that of the five IE vulnerabilities in MS09-072, three affect the newest edition of the browser, IE8. Two of those three affect IE8 only; Microsoft's other browsers were immune.
"You can bet that engineers at Microsoft are as depressed about these bugs as much as we are," Storms said of the IE8 vulnerabilities.
"The question is why they're there," Storms continued. "It would be easier to explain if both IE8 and IE7 were vulnerable, as is the case with one of the vulnerabilities. But the fact that two are IE8-only makes us wonder if Microsoft's Security Development Lifecycle is working." Security Development Lifecycle, or SDL, is the term Microsoft's given to a development process that stresses security testing as a piece of software is being written.
"[The flaws] could be in new code or old code, but we don't know where they were brought into the process," Storms said.
Even so, Storms, Lai and Miller all bet that the fault lay in new code Microsoft crafted for IE8. "I'd say it was in new features," said Lai. "Microsoft made a lot of HTML updates to IE8 to reach standards compliance, so I'm pretty sure the bugs are in the new code base."
"New features means more code to be reviewed, and more likelihood of something slipping through," Storms noted. "Old code, you would expect has been reviewed more than once already."
"Sometimes code is dropped [from a program] and new code is used instead," said Miller. "They're in the brand-new code and the new technologies in IE8."
Attackers will likely come up with working exploits for the IE vulnerabilities patched today, Microsoft said, giving four of the five bugs an exploitability index rating of "1." That means reliable attack code will probably appear in the next 30 days.
The remaining five security updates, which patched an additional seven vulnerabilities -- just two of them considered critical -- are also-rans in Storms' mind. "All the rest of them have some kind of mitigation," he said, ranging from a requirement to have authenticated access to a wireless-only attack vector.
Lai's colleagues at Qualys didn't agree with Storms. "MS09-070needs attention," said Amol Sarwate, the manager of Qualys' vulnerability research lab, pointing to the bulletin that patched two vulnerabilities in Microsoft's Active Directory, a critical component within enterprises.
Wolfgang Kandek, Qualys' chief technology officer, added MS09-073 to the list of apply-now updates. The bulletin patches WordPad, the minimalist text editor included with all versions of Windows, and the text converters used by Microsoft's Office suite to parse Word 97 documents.
"File format vulnerabilities tend to be downplayed," acknowledged Kandek, "but everyone has WordPad. Although an exploit won't exactly be easy, [attackers] won't have trouble finding out how to do it."
The bright spot on this Patch Tuesday was the immunity of Microsoft's newest operating system, Windows 7, to any of today's updates, said the researchers. "Except for the IE8 bugs, there were none for Windows 7," said Miller. "So that's a good sign."
But it's too early to call Windows 7 a resounding security success, Miller cautioned. "Remember, Vista was much the same when it came out," he said.
Microsoft also released a pair of security advisories today that spelled out additional tactics for users and company administrators to further protect Windows against attacks already disclosed, or that have actually been used in the past.
This month's security updates can be downloaded and installed via the Microsoft Update and Windows Update services, as well as through Windows Server Update Services.