Administrators have a hefty number of patches for Windows server and client versions this month.
March patches include five critical updates and nine important updates. All five critical updates address remote code execution vulnerabilities.
The remaining critical updates fix vulnerabilities in Internet Explorer (IE), which is a top priority as one exploit is publicly available, said Wolfgang Kandek, CTO of Qualys, Inc., a cloud security and compliance software provider based in Redwood Shores, Calif.
Another critical update resolves five vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. Customers whose accounts operate with administrative user rights are at higher risk than those whose accounts are configured to have fewer user rights.
The critical update affects all supported editions of Microsoft Office 2007, Office 2013 and Office 2013. The patch corrects how Office handles files in memory and parses specially crafted files. This update should be second on IT administrators' priority lists, as Office is a widely installed product in enterprises, said Amol Sarwate, vulnerability labs manager for Qualys.
One critical update fixes two vulnerabilities in Microsoft Windows that could be exploited if a user browses to a specially crafted website or file. The update affects all supported versions of Windows, including Windows Server Technical Preview. The update corrects how Windows handles the loading of DLL files and how Microsoft Text Services handles objects in memory.
Three of the important updates address elevation of privileges in Windows and Exchange Server. Two important updates deal with information disclosure vulnerabilities in Windows. One important update addresses a spoofing vulnerability in Windows, and another fixes a denial of service vulnerability in Windows. Two separate bulletins address security feature bypass vulnerabilities in Windows. Finally, one important update addresses a vulnerability in Windows that could allow denial of service if an attacker creates multiple Remote Desktop Protocol sessions that fail to properly free objects in memory.