Microsoft yesterday published nine sets of patches for 14 vulnerabilities, the largest set of Patch Tuesday security fixes since February.
The patches plug holes in Office, Internet Explorer, and every edition of Windows. Eight of the fixes were pegged as critical, the company's highest risk rating.
Faced with an overload of vulnerabilities - including some in components that Microsoft has patched in the past - researchers squabbled over which should get priority.
"I think six of these are equally important," said Andrew Storms, director of security operations at nCircle Network Security.
"The GDI vulnerability is the most critical," said Amol Sarwate, the manager of Qualys' vulnerability research lab.
"MS07-042 affects everything," said Don Leatham, the director of solutions and strategies at PatchLink.
The only update that all three agreed should be moved to the top of the list was the one that patched a bug in Windows Graphics Rendering Engine (GDI). According to Microsoft's MS07-046 advisory, the GDI bug not only affects Windows 2000, XP and 2003 Server, but a successful attack could give the hacker complete control of the PC.
"This affects a core Windows subsystem, and all versions except for Windows Vista," said Sarwate. "Unlike most other vulnerabilities, this one doesn't need an application, like Internet Explorer; all that's needed is a [malformed] image file. The only good news here is that this does not affect Vista."
PatchLink's Leatham called out the GDI bug as one of two he said should be patched immediately, and rang the alarm even louder than Sarwate. "This has the potential to be as dangerous as the WMF vulnerability [from late 2005]," he said. "Microsoft makes it sound as if the typical exploit would come as some sort of email attachment, but the GDI is used by about every single Microsoft application out there.
"Hackers will look at this like Nirvana, something this low level that they can use to target about every workstation in an enterprise," warned Leatham.
The WMF (Windows Metafile) vulnerability, which caused problems at the end of 2005 when hackers began widely exploiting the zero-day bug, was patched in early 2006 by one of the rare out-of-cycle fixes that Microsoft has issued. Even today, the WMF exploit impact on Windows users remains among the largest ever.
Eight other bulletins, however, will vie for administrators' attention. Some, said Storms, Sarwate and Leatham, should get that attention before the others. Among the fixes they pointed to: