Microsoft releases super bundle of security patches

Microsoft has released what security experts are calling one of it most significant security fixes this year.

On Tuesday morning, the software maker pushed out nine sets of patches, called updates in Microsoft parlance, fixing a total of 14 bugs in its software. Six of these updates are rated critical by Microsoft, meaning that attackers could exploit the flaws with no user action required. The other three updates are rated important.

It is the largest set of updates released by Microsoft since February.

"People should definitely cancel their dinner plans and make sure they take this one seriously because both the breadth and impact of these are important," said Don Leatham, director of solutions and strategy with PatchLink. "This is an intense month."

Leatham is particularly concerned with the MS07-046 update, which fixes a critical flaw in the graphics rendering system used by Windows. The flaw lies in the Windows graphics device interface software used to send graphics data to printers and monitors.

Microsoft says that attackers could exploit this flaw by tricking a victim into opening a specially crafted e-mail attachment, but because the bug lies in a core component of Windows, Leatham believes that there may be other ways to exploit the flaw. "I think this will be a target of the hacking community," he said. "If it's clear down in the graphics rendering engine, I'm assuming that there may be other ways to exploit this because the graphics rendering engine is used by many applications."

The flaw affects all supported versions of Windows, except Windows Vista and Windows Server 2003 Service pack 2.

Three other patches, fixing critical flaws in Excel and Internet Explorer should also be given priority, said Amol Sarwate, manager of Qualys's vulnerability research lab. Those updates are MS07-044, MS07-045, and MS07-050.

These desktop applications are generally the weakest link in corporate security and are increasingly being targeted by attackers, Sarwate said.

All of the vulnerabilities patched Tuesday affect some components of the desktop, Sarwate noted. None of the bugs patched Tuesday had been publicly disclosed, he said.

Other critical updates relate to the XML Core Services used by Internet Explorer to process XML pages and the Object Linking and Embedding technology used by some Windows applications.

The less-critical updates fix bugs in Windows Media Player, Microsoft Virtual PC and Virtual Server, and Windows Gadgets.

With 50 security updates now released, Microsoft has kept pace with last year's patch output. By August 2006, Microsoft has issued 51 updates.