Microsoft addressed 23 vulnerabilities in seven bulletins, including one that could result in four patches on one...
system, in this month's Patch Tuesday release.
The MS12-034 bulletin, labeled critical, covers 72 operating system-service pack combinations, 31 .NET framework types, nine Microsoft Office installations and six Silverlight installation types.
The bulletin addresses a vulnerability in which an attacker could craft a Web page or document that has embedded TrueType fonts. However, Microsoft notes, the attacker would have to coerce someone into visiting the malicious page or document.
One security expert thinks it should be a top priority for Windows Server administrations.
With "118 different [operating system and] software types affected, you're going to see it all over your network," said Jason Miller, a member of Shavlik’s Patch Patrol Team. This bulletin, along with MS12-035, both involve the .NET framework, which could result in admins "sitting around waiting" due to its notoriously long patch time, Miller said.
Patching workstations, light month for servers
Other priorities for admins primarily are in addressing issues that pertain to the workstation, mainly in Microsoft Office.
The bulletin, MS12-029, addresses a vulnerability where an attacker could develop a malicious RTF document that, if opened, could give the attacker the same rights as the user in the system.
"[Patching] Office [is] a priority in this kind of scenario," said Wolfgang Kandek, CTO at Redwood Shores, Calif.-based Qualys Inc., an IT security firm. He also noted an Excel vulnerability as a point of emphasis, where a user could be tricked into opening a malicious file that results in elevation of privilege.
Other bulletins include patches for vulnerabilities in Windows Partition Manager, TCP/IP and Microsoft's Visio viewer. These all could result in elevation in privilege; Miller and Kandek said these are less of a priority.
In all, it is a light month for server admins, noted Miller, as Microsoft trends toward alternating between Office and operating system patches from month to month.
Administrators can go to Microsoft's security bulletin page to get a rundown of all updates.