Microsoft uses the software to render files, such as PDF files, so they appear in the browser Outlook Web Access client. Viewing an attachment with an embedded malicious code could compromise the server. Oracle patched the software in April and then again in July, and now Microsoft is passing along the updated version to its users.
"The server side process, which generates the Web page, could get compromised and let an attacker control an Exchange server," said Amol Sarwate, the director of Qualys Vulnerability Labs.
This bulletins serve as a reminder for Microsoft and other software vendors that rely on third-party libraries or programs that "vulnerabilities can bubble up through the supply chain," Kandek said.
These patches would apply to all supported versions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013.
The third critical bulletin only applies to Windows XP and Windows Server 2013, and involves exploiting a hole in Microsoft's OpenType fonts. It may be one of the last vulnerabilities Microsoft will fix for the aging OS.
Microsoft will discontinue support for Windows XP next year, which means that if new vulnerabilities are found, Microsoft will not fix them, aside from customers who pay the company considerable sums for continued support.
As a result, Windows XP "will very quickly become quite an easy target for attackers," Kandek said. He noted that 10 percent of the companies that Qualys consults with still run Windows XP. "Nobody should use XP anymore after its expiration date."
This month's set of patches dredges up another specter from the past: the dreaded Ping of Death, which was exploited in late 1990s for denial of service (DoS) attacks. It worked by sending a gargantuan ping request that would crash the computer attempting to assemble the message from multiple data packets.
Although the holes that led to Pings of Death have been fixed on OS software, this particular vulnerability works in a similar way, by taking advantage of a flaw found in the IPv6 implementation of underlying protocol for Ping, ICMP (the Internet Control Message Protocol).
Microsoft labeled this vulnerability as important, perhaps due to the limited number of IPv6 networks currently running. But it is a good reminder that many security issues previously thought solved may come up again as organizations move to IPv6.
"It allows a remote unauthenticated attacker to send a few ICMP packets that would cause the machine to crash," Sarwate said. "It illustrates how much we still have to learn about IPv6."
If a company has no immediate plans to move to IPv6, its administrators should disable any IPv6 features in the new software so they can't cause any harm from defects such as this one.
"If you disable it, you don't run into these problems," Kandek said. "If you don't use a certain piece of software, then is nothing better than uninstalling it, in terms of security."
Since the start of the year, Microsoft has issued 65 patches, seven more than at the same time last year. The company seems to be making headway toward addressing the most serious vulnerabilities, however. Thus far, Microsoft has issued 25 critical patches, 10 less than at the same time last year, though 40 patches this year have been important, compared to 35 last year, according to a count from security research firm Lumension.
Microsoft will hold a webcast to explain these issues in more detail on Wednesday.