Microsoft plans to ship five security bulletins next Tuesday with fixes for serious security vulnerabilities that could lead to remote code execution attacks.
The updates, all rated â€œimportant,â€ will provide fixes for security holes in the Microsoft Windows operating system, the Microsoft Office productivity suite and the Microsoft Server Software.
According to an advance notice issued by Redmond, the flaws could cause code execution of elevation of privilege attacks. At least one of the bulletins will require a restart after installation.
The Windows OS updates will apply to all versions of the operating system, including the newest Windows 7 and Windows Server 2008 R2.
Despite the light Patch Tuesday and the absence of â€œcriticalâ€ bulletins, Rapid7 security researcher Marcus Carey is urging IT administrators and Windows users to avoid downplaying this batch of patches.
â€œItâ€™s easy for organizations to gain a false sense of security during a light patch month and sometimes an attitude of complacency towards non-critical vulnerabilities is evident, but while there are no â€œcriticalâ€ bulletins this month, organizations should not downplay the vulnerabilities being addressed. I know of organizations that have 30 day patch requirements for â€œcriticalâ€ â€“ which is too long in my opinion â€“ and up to three months to patch â€œimportantâ€ and below,â€ Carey said.
While â€œimportantâ€ vulnerabilities may not give attackers the full root privileges generally associated with â€œcriticalâ€ vulnerabilities, Carey warns that an attacker can use an â€œimportantâ€-rated vulnerability to achieve an initial compromise and then escalate privileges by other means.
â€œBy using an â€œimportantâ€ vulnerability and other methods, attackers can still end up with the same result, and so it is essential that organizations understand that all five of these â€œimportantâ€ bulletins can result in an escalation of privileges for the attacker, which is a serious matter and needs to be addressed quickly,â€ he added.