Microsoft has released eight updates for its monthly Patch Tuesday.

 

Of the updates, five are rated as critical, two are rated as important, and one is rated as moderate.

 

The critical updates include MS09-009 that addresses two remote code execution vulnerabilities in Microsoft Excel, where an attacker could exploit the vulnerability by sending a user a malformed file. The MS09-010 addresses four remote code execution vulnerabilities in Microsoft WordPad and Microsoft Office text converters, as an attacker could exploit the vulnerability by sending a user a malformed file.

 

An important update is MS09-012 that addresses several elevation of privilege vulnerabilities – that are commonly known as Token Kidnapping in Microsoft Windows.

 

Alan Bentley, regional VP EMEA of Lumension, claimed that this is the most active Patch Tuesday in quite some time, and the patches mentioned above should be on the priority list.

 

Bentley said: “Since Microsoft started providing exploitability information last year, this is the first time we've seen six vulnerabilities being exploited in the wild at the time the corresponding bulletins were released.  This is definitely putting pressure on IT Teams to get these patches tested in their environments and out to the endpoints in their organisations.

 

“A quick look at the remaining bulletins show that they all should be carefully reviewed – so definitely nothing that can be put on the back burner.”

 

The Microsoft security response team answered questions on why it can take so long for a security update to be released.

 

A statement said: “When we here at Microsoft are asked this question: our answer is ‘we want to get this right'. Or to put it another way, we are constantly asking ourselves during any given release cycle ‘are we doing the right thing for our customers?'

 

“If as a result of any given investigation, we find a variant of a vulnerability we are fixing; do we dig deeper to make sure we cover all our bases, or do we just fix what we can see and ship the update because of external pressures?

 

“I will say that we will do the right thing for our customers; we will dig deeper; we will hold a low quality update; and we will release an update when it is ready for broad distribution; no sooner or no later.”