School's not out for IT administrators, as Microsoft released a bumper crop of updates, patching 26 vulnerabilities late yesterday - the highest number addressed by its monthly round of security patches in two years.
The update includes six critical and five important patches, as previewed last week, ensuring the August summer holidays will be a busy time for IT security administrators, just like last year.
"This is a mammoth Patch Tuesday,' and we have not seen anything of this scale in a long time," said Karthik Raman, a McAfee researcher.
The six critical patches have been given the software vendor's highest security rating because the vulnerabilities could allow attackers to take complete control remotely over a computer running the vulnerable software.
"Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply views a malformed image or visits a malicious website, a favourite attack method among cybercriminals," Raman said.
The majority of the vulnerabilities addressed by the August security bulletin can be exploited through malicious websites or by tricking a computer user into opening a rigged image or Office file.
And two of these MS08-041 and MS08-042 cover vulnerabilities that had already been publicly disclosed and are actively being used in cyberattacks.
McAfee recommended organisations prioritise the updates that fix the image processing flaws (MS08-044) and the Internet Explorer update (MS08-045), because it said attackers were more likely to take advantage of these vulnerabilities in new attacks.
Andrew Clarke, Lumension Security international vice president, focused on the breadth of affected software products that will affect both desktops and servers: "All six critical patches are identified as fixing vulnerabilities relating to Microsoft Windows, Internet Explorer, Media Access Player, Access, Excel, PowerPoint and Microsoft Office," he said.
Clarke urged IT departments to act quickly and carefully assess which patches should receive priority.
"Looking at the impact on IT groups managing servers, critical updates will be issued that apply to Windows 2000, 2003 and 2008, he advised. "For those managing desktops, critical updates will be released for XP, Vista, Office 2000, Office XP and Office 2003."
He also highlighted another vulnerability for users of Windows Messenger: "MS08-050 is concerning as it allows unauthorised access to a user's messenger account," added Clarke.
