All the critical vulnerabilities are labeled as remote code execution, which would require system restarts and impact a very broad range of Windows platforms and applications, according to Lumension security and forensic analyst Paul Henry. But, he noted, IT administrators should pay attention to two particular security bulletins, as their vulnerabilities are being exploited in the wild: MS09-050 and MS09-053.

MS09-050 is a critical vulnerability that impacts both Vista and Windows 2008 platforms. While only rated as important, Henry said, MS09-053 should be considered a priority for organizations running public-facing FTP servers. He said organizations that use the Internet daily should also pay close attention to the high-priority critical client-side issues that could allow drive-by hacking exploits.

"Because of the large number of issues covered in this month's patch release, it is important that organizations carefully review the bulletin in its entirety and then carefully plan their patch-management priorities and process based on the impact on their given product utilization and the likelihood of exploitation," Henry said. "Simply put, the administrative burden of flaw remediation today is clearly beyond that which can be handled without full flaw-remediation process automation ."

Cleaning Up Old Messes

Andrew Storms, director of security operations for nCircle, has a different take. As he sees it, the bug that is likely to have the biggest impact on Microsoft users will be MS09-051, the speech-codec bug that already has limited exploits in the wild. This is a typical file-parsing issue and similar vulnerabilities have allowed attackers to create drive-by attacks that infect unsuspecting video viewers.

"MS09-056 isn't a critical vulnerability and it doesn't rate high on the exploitability index, but it does offer some insight into Microsoft security processes," Storms said. "Microsoft couldn't fix all the problems with nefarious Web SSL certifications, so they apparently reached out to all trusted root-certificate authorities to make sure they have a process that disallows signatures of null-byte certificates."

The SMB and IIS bugs, both acknowledged by Microsoft in early September, have received quite a bit of attention in the past month. The SMB vulnerability is difficult to exploit given default firewall conditions, Storms noted, but the IIS bugs are easy to exploit. The risk for these vulnerabilities didn't warrant an out-of-band patch, he said, but are included in this month's whopper of a release.

Firefox Users At Risk

As a researcher who provides product content, Tuesday's release made Tyler Reguly, a senior security engineer at nCircle, very uncomfortable. The sheer size of the release and the tangle of vulnerabilities, he said, made it a long night for researchers everywhere looking for useful information for their customers.

"Again we see a month of client-side issues in almost every major Microsoft product. Whether you run Office, Windows Media Player, IE, .NET or just Windows itself, there's a vulnerability for you," Reguly said.

"Those with a Web-based attack vector are always important. Also this month, keep in mind that even Firefox users aren't safe from the IE vulnerability. There is a Firefox attack vector available, so patching IE should be considered crucial even if you never open it."