Today Microsoft released 13 security bulletins, two rated Critical, nine Important and two Moderate. These bulletins address 22 unique vulnerabilities in Internet Explorer, Microsoft .NET Framework, Microsoft Developer Tools, Microsoft Office, Microsoft Windows.
For those who must prioritize deployment, Angela Gunn, senior response communications manager, Microsoft Trustworthy Computing, recommends focusing first on the two critical updates:
- MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin.
- MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk.
Qualys CTO Wolfgang Kandek comments: “Top priority should be given to a ‘critical’ bulletin that affects Internet Explorer 6 through 9 on Windows 7, XP, Vista, 2003 and 2008. If left unpatched, attackers could use this vulnerability to remotely take control of victims’ systems.”
To learn more about patching challenges and techniques read our interview with Wolfgang Kandek, where he offers his extensive knowledge on the subject.