Microsoft has released six (6) updates for Windows for November. Five of these updates are rated critical and the general recommendation is to apply the patches immediately as each one of those involve remote code execution. One update is rated important and it affects Client Services for NetWare (CSNW). If you don't have Netware in your environment you can safely ignore this update. The impact is again limited by the fact that the CSNW is not installed by default on any of the Windows operating systems.

Microsoft has fixed totally 12 vulnerabilities this month with five of those affecting Macromedia Flash Player from Adobe. I am not covering the patches here in detail, but will do so in a detailed article and will try to address each vulnerability in greater depth and details with my recommendations. In my last post on this subject, I had mentioned that I expected Microsoft to patch the recently disclosed vulnerability with Windows Server 2003 running Visual Studio 2005 that is described in Microsoft Security Advisory 927709. The same issue gained some traction in the technology media though some experts did expect Microsoft not to release a patch for it during this cycle as it had very less time to work on it.

I think that Microsoft should have spent more resources on this in getting a patch out for this vulnerability in this cycle as it involves remote code execution. Attackers would definitely try to take advantage of this vulnerability now that they know that the vulnerability exists and a patch isn't coming for at least another month. If there are attacks, then again there might be some third party security researcher / company who will come out with an "unofficial" patch which Microsoft will not support. At the end of the day, where should the customer turn to? Should he trust third party software and apply the patch hoping that nothing else will break or do nothing and hope that his infrastructure won't be attacked.

I don't know.