Patch Tuesday: Microsoft Fixes Only Four BugsPatch Tuesday: Microsoft Fixes Only Four Bugs

IT and security managers who have been gearing up for the long hours of work that generally come with Microsoft's monthly Patch Tuesday can relax a little.

It's going to be a relatively easy time this month. And that's a big swing from last month's mega patch release, which included nine security bulletins covering 14 vulnerabilities.

September's patch release only includes four security bulletins. Last week, Microsoft had announced that there would be five bulletins, but one was pulled before the official release.

"It's a pretty light month, really," said Tom Cross, a security researcher with IBM's Internet Security Systems X-Force, in an interview. "We're not highlighting any for our customers."

The batch of bulletins includes one critical and three that are rated important, the company's second-highest security rating. The critical bug involves a remote code execution vulnerability in the way the Microsoft Agent handles certain specially crafted URLs, according to the Microsoft advisory. The bug affects Microsoft Windows 2000 Service Pack 4. Microsoft noted that users whose accounts are configured to have fewer user rights on the system would be less affected than those with more administrative rights.

Symantec Security Response is warning users that researchers there considered the remote code execution vulnerability in Microsoft Agent ActiveX to be critical since ActiveX controls run on a "significant number" of systems. "Symantec has observed a significant increase in ActiveX vulnerabilities this year," said Ben Greenbaum, senior research manager at Symantec, in a statement. "Attackers are targeting trusted Web brands, such as social networking sites, and then waiting for their victims to come to them so they can exploit the vulnerability and gain access to the individual's computer."

One of the bulletins rated important addresses a vulnerability in Visual Studio that could allow an attacker to remotely execute code. Cross noted that this bug has been public since this past January when a proof-of-concept exploit for it was floated on the Internet. The exploit, though, didn't bring many attacks.

"It's just not a widely distributed application that people looking to launch attacks are exploiting," said Cross. "Programmers are a sophisticated group and less likely to fall for tricks and click-on-this-link tricks."

Another bulletin rated important deals with a publicly disclosed vulnerability in Windows Services for Unix 3.0, which could allow an attacker to gain elevation of privilege. The fourth bulletin, also rated important, handles a publicly disclosed vulnerability in MSN Messenger and Windows Live Messenger, which could allow an attacker to take complete control of the affected system.