Two August updates rated as important also should be of interest to IT professionals, even if Microsoft has rated them below the critical updates. They are MS08-047 , which fixes a vulnerability in IPsec Policy processing, and MS08-50 , which patches a flaw in Messenger.
Though Microsoft doesn't rate flaws that allow for information disclosure as critical, the IPsec vulnerability, which could turn what people think are trusted encrypted information tunnels into open text communications, could become so for certain companies using IPsec intensively to transfer critical data, such as health care organizations that work with confidential patient information, Leatham said.
Similarly, Microsoft has not rated the Messenger vulnerability as critical because it only deals with information disclosure; however, it opens up the opportunity for a "social-engineering attack that we haven't seen before" and should be taken seriously, said Amol Sarwate, manager of the vulnerabilities research lab at Qualys. Qualys, based in Redwood Shores, California, provides vulnerability-management and policy-compliance services.
"It allows attackers to invite people for audio or video conferencing by impersonating a victim," he said, noting that it also is a zero-day vulnerability.
Last Thursday Microsoft said it expected to release 12 security updates on Tuesday as part of its monthly patch cycle, called Patch Tuesday by security researchers, but at the last minute pulled one of those updates because of quality issues, the company said.
Microsoft did not provide further information on if and when it would release the update; however, when updates have been pulled at the last minute before, they are usually released as part of the next month's patch cycle.
Also complicating matters this month is a recent security advisory and patch Microsoft sent out for the tool many companies use to patch Microsoft applications, Windows Server Update Services, Leatham said. He advised that companies ensure they update the tool and verify that it is working properly before installing August's patches.
"There was an odd bug causing some security patches not to be deployed into areas of organizations," Leatham said. "You want to make sure your WSUS server has been patched" before installing another round of updates.