September Patch Tuesday shows benefits of MS Windows refresh for corporates

Microsoft is releasing nine bulletins addressing 11 vulnerabilities today in its Patch Tuesday monthly security update.

Microsoft is releasing nine bulletins addressing 11 vulnerabilities today in its Patch Tuesday monthly security update.

Four bulletins have a rating of "critical" and affect Windows XP, Windows 2003 and Vista.

"Once again, Windows 7 and Windows Server 2008 R2 are less problematic and are not affected by three of the four critical vulnerabilites and have a downgraded severity of "important" for the last one," said Wolfgang Kandek, chief technology officer at security firm Qualys.

Microsoft Office XP, 2003 and 2007 are affected by two bulletins, each carrying a severity of "important", even though they allow the attacker to take control of the affected system.

"I expect some of the bulletins to address DLL Hijacking issues in Microsoft's own products, but it will be interesting to see if Microsoft will change its guidance for Hotfix KB2264107. Currently it is only at the advisory level and users have to make an active decision to get protection against DLL hijacking in third-party applications," said Kandek.

There will be no security updates for Windows XP SP2 users, even though most updates for XP SP3 are likely to apply to SP2.

"Windows XP SP2 users should upgrade to SP3 as quickly as possible," said Kandek.

IT teams can expect a lighter load with only nine bulletins, said Don Leatham, senior director of solutions and strategy at security firm Lumension.

"But with at least one affecting Internet Information Services (IIS), organisations that use Microsoft's Web hosting solution will want to pay special attention to this particular bulletin," he said.

September's Patch Tuesday shows the fruit of Microsoft's efforts to make their latest platforms and products more secure, and should encourage organisations to continue to move away from the Windows XP and Windows Server 2003, said Leatham.

"A simple comparison of affected software in this notification shows clearly how older versions of Windows are essentially less secure," he said.

XP and Server 2003 have three critical, five important bulletins, compared with zero critical and only three important bulletins for Windows 7.

"These results show that organisations running Windows 7 and Server 2008 R2 are running much more secure environments and, as an added benefit, this Patch Tuesday will practically be a non-event for them," said Leatham.

Read more on Hackers and cybercrime prevention