Patch Tuesday: Microsoft Fixes 15 Bugs, 2 In Windows VistaPatch Tuesday: Microsoft Fixes 15 Bugs, 2 In Windows Vista

In its monthly Patch Tuesday release today, Microsoft issued six security bulletins that patch 15 vulnerabilities -- two of them in Windows Vista.

This month's batch of vulnerability fixes affect 12 critical bugs. Six of the critical flaws are in Windows software and another six are in Microsoft's Internet Explorer browser. The one security update marked as "important" -- Microsoft's second-highest risk level -- fixes two vulnerabilities in Microsoft Office. The update given a 'moderate' rating patches one flaw in Windows.

One of the critical vulnerabilities affects Windows Mail in Windows Vista and Windows Vista x64 edition. The update rated moderate also affects Windows Vista.

Dan Holden, a product manager with IBM's Internet Security Systems, said in an interview that the Vista bugs are in the upgrade process. Only users who migrate from Windows XP to Windows Vista are affected. "I doubt you would see this vulnerability in most Vista instances," he added. "Many enterprises will have Vista on brand-new machines. We're not seeing mass migrations from XP to Vista."

Symantec Security Response rated the vulnerabilities in the Cumulative Security Update for Internet Explorer as the most critical since two of the five vulnerabilities listed in this security bulletin affect Internet Explorer 7.0 on Windows Vista. "A user could become infected when browsing the Web and landing on a malicious Web site," said the advisory e-mailed to information. "A successful exploit could allow an attacker to install malicious code of his/her choice and potentially gain complete control of the affected system if the victim is logged in as an administrator."

Holden said that while none of the vulnerabilities being patched this month have been causing a lot of problems, he's glad that the cumulative IE patches are out.

"It's one of those vulnerabilities that malware writers and cybercriminals prey on," said Holden. "It's important because it will get used." One of the Internet Explorer bugs enables criminals, like phishers, to spoof a site's URL.

Dave Marcus, a security research manager at McAfee Avert Labs, said in an e-mail that Microsoft's patch release this month underscores the risks of surfing the Web unprotected.

"Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site, a favorite attack method among cybercriminals," said Marcus. "Criminals are increasingly using the Web to deliver malicious software. In such drive-by downloads, an attacker places malware onto a vulnerable computer without the user noticing it. This malware most often targets various types of identity information of the victim."

Last month, Microsoft issued seven advisories -- all rated critical -- that patched 19 vulnerabilities that affect Windows, Office, and Internet Explorer.

Three of the security bulletins handled bugs in Microsoft Office, with one each for Windows, Microsoft Exchange, and Internet Explorer. Two of the vulnerabilities affected Microsoft's highly-touted Windows Vista operating system, while six of them are bugs in various versions of the company's ubiquitous browser, Internet Explorer. Five of the bugs are in IE7.