October Patch Tuesday to fix critical IE and Silverlight bugs

Microsoft is to release eight security updates next week in a relatively light Patch Tuesday, although administrators are warned that two are rated 'critical', including a remote code execution flaw affecting all versions of Internet Explorer.

The 'critical' flaws, both of which could allow remote code execution on a targeted system, affect Microsoft .NET Framework, Silverlight and IE, according to the Microsoft Security Bulletin Advance Notification for October 2011.

Marcus Carey, a security researcher with Rapid7, explained that the former is similar to the MS11-039 bulletin which was patched in June.

"When exploit developers look for bugs disclosed in products, they usually find similar bugs which result in the same type of vulnerabilities," he said.

"I'd expect the implications of this one to mirror MS11-039: specifically that server and client side attacks may be perpetrated through .NET or Silverlight."

This and the IE bug mean that web users should be careful when browsing, Carey warned.

"Attackers will continue to get users to click on links to malicious web sites. Expect the attackers to continue to explore these browser and plug-in weaknesses," he said.

The other six patches are rated 'important'. This is one level down from 'critical' on the severity rating system used by Microsoft, but could still result in remote code execution, denial-of-service or elevation of privilege.

"The remaining six bulletins are for Windows itself and a number of less pervasive Microsoft technologies, such as Forefront and the Host Integration server," said Wolfgang Kandek, chief technology officer at vulnerability management vendor Qualys.

"They are all rated as important and not all of them apply to all configurations. IT administrators will have to evaluate to what degree they affect their networks, servers and workstations."