Microsoft issued 11 security bulletins on Patch Tuesday covering a total of 17 vulnerabilities, 10 of them critical. The 11 patches address the Windows operating system, the Internet Explorer Web browser, Microsoft Office and other programs.
"While the batch of critical vulnerabilities all require some sort of user interaction to exploit, the interaction can be as simple as visiting a trusted Web site that has first been exploited by an attacker," said Ben Greenbaum, senior research manager for Symantec Security Response.
As consumers and enterprises become more savvy to security risks, he added, attackers are finding ways to distribute malware through trusted sites in addition to distributing via an attachment or random link in an e-mail.
"These vulnerabilities underscore the importance of having a full security suite to protect consumers and enterprises from being exploited since they can no longer only rely on traditional best practices alone, such as avoiding unknown or unexpected e-mail attachments or following Web links from unknown sources," Greenbaum said.
Happy Valentine's Day
"This month's patches are going to require a great deal of man-hours for IT admins, from determining what is affected to the testing and deployment processes. IT administrators might be spending this Valentine's Day in the office," said Paul Zimski, senior director of market strategy at Lumension Security.
"Because we are so used to trusting and opening Office attachments, the fact that there are three critical patches for Office opens up a huge window for a potential attack, whether general or targeted," Zimski said.
Indeed, five of the 11 advisories this month are client-side issues that are part of the daily experience for users. These are likely responses from Microsoft to specific, targeted attacks that have been building up over the past few months.
"This is bad news for enterprises," said Tyler Reguly, security researcher for nCircle, a security and compliance technology firm that works with companies like Visa, US Cellular and Archer Daniels Midland.
A Special Focus on IE
Qualys recommends organizations focus their attention first on MS08-010, which patches four individual flaws within Internet Explorer for a wide range of operating systems. If a user with an unpatched system visits a Web site with specially crafted HTML code embedded, the user is vulnerable to an exploit and complete remote takeover.
"While this is a replacement patch for MS07-069, released late last year, it is still important to apply because it affects so many different systems and requires very little user interaction to be exploited," said Jonathan Bitle, director of technical account management at Qualys.
Denials of Service
This month's monster patch is MS08-003. Although it is "only" a denial-of-service vulnerability, the impact on the availability of server and client resources could be extremely widespread in enterprise networks, Reguly said.
Another important advisory is MS08-004 -- also a denial-of-service vulnerability -- and the second TCP/IP advisory so far in 2008. This patch is critical because an exploited rogue DHCP server could leave large numbers of Vista workstations unavailable at initial boot, making it impossible for users to gain access to network services and stored information. "With the large-scale Vista conversions under way," Reguly noted, "this is of particular concern for large enterprises."
Where's the Excel Fix?
Noticeably absent from this month's release is a fix for a zero-day Excel vulnerability made public on Jan. 16 that is currently being widely exploited. As it stands, Bitle said, end users who open a specially crafted Excel spreadsheet that contains remote execution code can turn over control of their system to hackers.
"Microsoft did preannounce a Patch Tuesday release containing 12 patches, and today's release came up one short," Bitle remarked, "therefore it's unknown whether the removed patch could be related to this Excel zero-day threat."