Of the seven critical flaws, five allow for remote code execution (RCE) and two give attackers elevation of privilege (EoP). The remainder of the flaws also include a high percentage of RCE and EoP bugs, with the former accounting for 32.9 percent of the flaws patched this month, while the latter accounted for 28.8 percent of fixes, according to a blog post by researchers at Tenable.
Yes, an attacker needs to be authenticated, though Sophos Lab threat researcher Christopher Budd noted: "Given what we've seen recently around attacks against Exchange vulnerabilities, the critical severity rating and the nature of the vulnerability makes this an issue that should be patched as soon as possible."
The security firms also notified Microsoft of two other unpatched bugs that the Stuxnet worm exploited. Those flaws, which can be used by attackers to upgrade access privileges on compromised PCs to administrator status, will be patched in a future update, Microsoft said last week. It has not set a timetable for the fixes, however. 2b1af7f3a8