The latest patches from Microsoft have been welcomed despite many of the vulnerabilities having been reported several years ago.
Shavlik's Eric Schultze claimed that the eight patches, five of which were labelled critical, included ‘fixes for a number of issues that Microsoft previously identified as too laborious\complex to fix'.
Schultze said: “This includes fixes for the Safari Carpet Bombing and SearchPath issues, additional enhancements for credential reflection (ala SMBRelay fix in MS08-068), and Service Isolation issues, as called out at a 2008 security conference.
“Microsoft had previously stated that each of these issues were either too complex to solve or didn't represent actual vulnerabilities. It's enlightening to see that they've taken a second look at each of these topics and have found solutions to address each.”
Schultze claimed that this was the ‘most ambitious patch to date' as Microsoft used Windows 7 developers to assist with the creation of the MS09-012 patch, that addresses several elevation of privilege vulnerabilities in Microsoft Windows.
Schultze said: “We can only hope that Microsoft continues in this vein and re-examines other parts of the Operating System that were thought too complex to fix.”
Shavlik recommended the following preferential order for installation: MS09-009
MS09-010; MS09-014; MS09-011; MS09-013; MS09-012 (if running IIS or SQL); MS09-015.
Meanwhile blogger Aviv Raff praised Microsoft for releasing a patch for the ‘DLL-load Hijacking' vulnerability that he claimed that he reported to them two and half years ago.
Raff said: “I had a long discussion with Microsoft about this vulnerability, and we both had several twists as time went by.” He claimed that he originally reported it on 29th October 2006, which Microsoft acknowledged the same day, but the following day reported ‘if an attacker has the ability to modify/replace system files on a users system then it is very likely that the system is already compromised in many other ways'.
Raff said: “After almost two and a half years since I first notified them about the vulnerability, and almost one year after I notified them about the ‘blended threat', Microsoft have finally released a patch. They broke their third promise (Windows 7, remember?), but this time for a good reason.”