Patch Tuesday, Microsoft's monthly ritual of issuing fixes on the second Tuesday of every month, is a modest affair this month, with only two fixes coming out. But they affect both Windows and Office.
The company Tuesday issued two security bulletins, one rated critical and one rated important. Both flaws could allow for remote code execution attacks. The updates apply to users running all supported versions of Windows, including Vista and Windows Server 2008, and Microsoft Office 2003 and 2007.
Users should not be complacent in thinking the errors are not important, said Wolfgang Kandek, CTO of security firm Qualys. "While there is a small number of patches this month, the flawed components are core to both the Windows OS and Windows applications such as Office and Portal servers, etc. and are likely to be found in almost all machines of a typical customers installation," he said in an e-mailed comment to InternetNews.com.
MS08-068 is rated as important and covers a publicly disclosed vulnerability in the Microsoft Server Message Block (SMB) Protocol. This vulnerability allows an attacker to replay the user's credentials back to them and execute code in the context of the logged-on user. That means someone with administrator's rights could have full control of the machine.
Kandek said patching should be done as quickly as possible. "Users can easily be tricked into accessing Web sites that can contain exploits for these new vulnerabilities. Companies with a structured patch process should be able to handle this month with slightly less impact than last months," he wrote.