As part of its February patch cycle, Microsoft on Tuesday released four security bulletins addressing eight vulnerabilities in its software.
Two of the bulletins are designated "critical" and two are designated "important." They aim to fix vulnerabilities in Internet Explorer, Microsoft Exchange, SQL Server, and Visio.
Microsoft also released Security Advisory 960715, which updates a set of previously published ActiveX kill bits. The new kill bits follow from Microsoft security bulletin MS08-070 and affect Akamai Download Manager and Research in Motion AxLoader.
Eric Schultze, CTO of Shavlik Technologies, considers MS09-004 to be the most interesting patch this month. "This patch addresses the zero-day SQL Server flaw reported by Sec-Consult" on Dec. 9, he said in a statement. "This flaw enables attackers to execute code of their choice on the affected SQL Server. The bar for exploitation is raised slightly in that the attacker must already have authenticated access to the SQL Server in order to pull off this exploit."
Because proof-of-concept exploit code for this vulnerability has been published already, Schultze suggests MS09-004 ought to be rated "critical." He advises patching MS09-003 and MS09-004 as soon as possible; MS09-002 and MS09-005, he says, can wait until a more convenient time.
Paul Zimski, VP of market strategy for Lumension, argues that MS09-002, the Internet Explorer patch, also needs to be dealt with right away. "The remote code execution vulnerabilities exist in IE7 on both Windows XP and Windows Vista -- probably the most prevalent Windows configurations in use today," he said in a statement. Microsoft, he added, gives this vulnerability a score of one on its Exploitability Index, meaning that exploit code can be created easily.