As expected, Microsoft on Tuesday released one critical security update for its Exchange messaging server and two security updates for Windows, one of which was critical.In Microsoft’s rating system, a critical vulnerability means it could allow unauthorized software to be installed without user action.The third patch released Tuesday fixes two vulnerabilities in Windows rated as “moderate,” Microsoft said.More information and Microsoft’s monthly security bulletin can be found online. Amol Sarwate, the Vulnerability Research Lab manager for Qualys, said the vulnerability in Exchange was the most critical of the three. That flaw could allow a remote user to send e-mail with malicious content in it that would take control of Exchange or a user’s computer. The flaw also could have been automated to create an e-mail worm, he said.Qualys provides software as a service for vulnerability and compliance management. The critical Windows flaw was in the version of Adobe Flash Player that comes with the OS, Sarwate said. It could allow miscreants to create malicious Flash-based websites or animated files that could take control of an unsuspecting user’s system if he or she clicked to view those files.Adobe Systems also has released a patch for the Flash Player flaw, and Windows users can install either Adobe’s or Microsoft’s patch to fix their systems, he added.The third Microsoft patch was for two vulnerabilities in the Microsoft Distributed Transaction Coordinator (MDTC), which controls Microsoft SQL Server database transactions.Even though the MDTC flaws could have allowed an attacker to shut down that component, they were rated as moderate, not critical, because Windows services without dependence on the MDTC would not have been affected, a spokesman from Microsoft’s public relations firm, Waggener Edstrom, said via e-mail. In general, an attack on the MDTC vulnerabilities would not affect the overall stability of Windows.Microsoft will host a webcast to discuss the security updates on Wednesday at 11 a.m. PST.More information about the webcast can be found online. All three security updates were released as part of Microsoft’s monthly security patch process, called “Patch Tuesday” by security researchers because the fixes are released on the second Tuesday of the month. The next such update is scheduled for June 13.Keep checking in at our Security Feed page, or subscribe via RSS, for updated news coverage.— Elizabeth Montalbano, IDG News Service Related content brandpost Unmasking ransomware threat clusters: Why it matters to defenders Similar patterns of behavior among ransomware treat groups can help security teams better understand and prepare for attacks By Joan Goodchild Sep 21, 2023 3 mins Cybercrime news analysis China’s offensive cyber operations support “soft power” agenda in Africa Researchers track Chinese cyber espionage intrusions targeting African industrial sectors. By Michael Hill Sep 21, 2023 5 mins Advanced Persistent Threats Cyberattacks Critical Infrastructure brandpost Proactive OT security requires visibility + prevention You cannot protect your operation by simply watching and waiting. It is essential to have a defense-in-depth approach. By Austen Byers Sep 21, 2023 4 mins Security news Gitlab fixes bug that exploited internal policies to trigger hostile pipelines It was possible for an attacker to run pipelines as an arbitrary user via scheduled security scan policies. By Shweta Sharma Sep 21, 2023 3 mins Vulnerabilities Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe