Microsoft Tuesday patches vulnerabilities in Windows, Exchange, SQL Server and DNS

All nine flaws were rated "important" by Microsoft, the second-highest threat rating in the company's four-step scoring system. One of the Microsoft fixes for Windows DNS was part of a group of patches issued Tuesday by software vendors to plug a multi-platform hole. The researcher who uncovered the vulnerability called the group patch effort the "largest synchronized security update in the history of the Internet."

Microsoft patched its iterations of DNS in MS08-037, the security bulletin that called out two DNS bugs in every supported version of Windows except Vista.

"We've had four updates to Microsoft's DNS since 2007 -- and one led to a bot, Rinbot, in April 2007," noted Andrew Storms, director of security operations at nCircle Network Security Inc."

Storms was referring to the episode last year when researchers spotted then-new variants of Rinbot exploiting a zero-day flaw in Windows DNS Server Service. The most recent patch for Windows DNS was released as MS08-020 in April, part of that month's eight-update, 10-fix batch of updates.

The fix for the DNS cache poisoning vulnerability, which Dan Kaminsky, a noted researcher and director of penetration testing with Seattle-based IOActive Inc., reported to Microsoft, is part of a larger, coordinated rollout Tuesday. Internet Software Consortium (ISC) has also updated its popular open-source BIND DNS software, which vendors like Red Hat and Sun Microsystems will be pushing to their users Tuesday.