July 10, 2012, 4:32 PM — It's the second Tuesday in July, and you know what that means: it's Microsoft Patch Tuesday. Today, Microsoft released nine new security bulletins as predicted
in the advance notice last week. Some updates are more urgent than others, though, so we turn to security
experts for insight and analysis to help guide your patching efforts.
Of the nine security bulletins, three are rated as Critical while the remaining six are ranked as merely
Important. Of course, Important still suggests a sense of urgency that shouldn't be ignored.
The three Critical bulletins address the vulnerability in Windows XML core services, and flaws in Internet
Explorer 9 and Microsoft Data Access Components (MDAC). The Important updates fix a range of issues affecting
Windows, Office, Office for Mac, and SharePoint.
Qualys CTO Wolfgang Kandek states in a blog post, "Of the three bulletins
rated critical, the top priority goes to MS12-043 that addresses the MSXML vulnerability, which has been under attack for
the last 30 days."
Andrew Storms, director of security operations for nCircle, agrees. Storms
notes that the XML flaw is already included in a variety of exploit toolkits, and attacks are circulating in the
wild. Storms adds, "If you are paying close attention, you'll notice that the XML version 5 patch for the bug isn't
shipping today. The fix for this version is probably not ready yet, so Microsoft decided to deliver the other
patches. So far, all the attacks in the wild utilize XML version 3, so this release, even though not totally
complete, seems like a no-brainer."
Marc Maiffret, co-founder of eEye Digital Security and now CTO at BeyondTrust, points out, "Internet Explorer 9 is not only the "faster browser"
this month but the fastest way to get
you owned. MS12-044 specifically covers a critical vulnerability that affects only Internet Explorer 9."