Microsoft has patched 15 vulnerabilities in its operating system, browser, and other software in its June update, known as Patch Tuesday. However, security experts cannot agree on which problems should be fixed first.
The month's six updates fixed multiple bugs in all currently-supported versions of Windows; in Internet Explorer (IE), both IE 6 and IE 7; in yet another member of the Office family; and in the entry-level e-mail clients Outlook Express and Windows Mail. Of the 15 flaws, 9 were labelled critical, Microsoft's most serious threat ranking, while 2 were pegged as important and 2 judged moderate.
Unlike other months, however, when researchers have usually reached a consensus on which patches should be deployed first, users received mixed messages.
"We think MS07-031 and MS07-035 should be patched first," said Amol Sarwate, the manager of Qualys' vulnerability research lab. "They both affect the core of the Windows operating system, and require no additional software to exploit."
MS07-031 should be tops because it may let attackers, phishers particularly, not only fake out users but feed them malware, he said. A bug in Windows 2000, XP and Server 2003's handling of Secure Socket Layer (SSL) could "give users a false sense of security when they connect to a secure site," , said Sarwate.
"The server gives the appearance of a secure site, but instead can send remote code," Sarwate said. Because the bug is in Windows, the vulnerability is browser independent, added Jonathan Bitle, Qualys' manager of technical account management.