Microsoft has released 13 bulletins to address 22 security flaws across several of its core products, including two that are rated "critical" threats to its servers and browsers.
The first critical bulletin is a patch for Windows Server 2008 and Windows Server 2008 R2 operating systems that resolves two vulnerabilities. The more serious of the two allows for remote code execution if an attacker registers a domain, creates a Name Authority Pointer (NAPTR) Domain Name System resource record and then sends a query to the target DNS server. Those servers that do not have the DNS role enabled are not at risk, according to Microsoft.
The second critical bulletin is directed at Internet Explorer Versions 6 and 9 operating on Windows 7, Windows XP and Vista. The patch addresses a vulnerability that could allow remote code execution so attackers could take control of targeted servers.
The other 11 bulletins, nine of which were rated "important," address a number of remote code-execution vulnerabilities as well as flaws enabling elevation of administrative privileges, denial-of-service attacks and unauthorized information disclosure.
One of those bulletins is a security update to address vulnerabilities in all editions of Windows Server 2003 and Windows XP. The vulnerabilities allow the elevation of privilege once a hacker successfully logs on to a system and runs an application specifically designed to take complete control of that system.
In addition, Microsoft released patches for its .Net framework and Visual Studio 2005 development toolset, along with another for its Visio diagramming application.
The patch for .Net is a security update to address a vulnerability in SP.Net Chart controls. The vulnerability could allow information disclosure if a hacker sent a Get request to an affected server hosting the Chart controls.