We just released eight security bulletins, five of which are rated Critical on at least one platform. We built a reference table of bulletin severity rating, exploitability index rating, and attack vectors. This table is sorted first by bulletin severity, next by exploitability index rating, and then by bulletin number. We hope it helps you choose an order of bulletins to start your prioritization and testing if you can’t deploy them all out immediately.
The attack vector for the Critical CVEs would be Internet Explorer connecting to a malicious website.
You can read more about how we fixed the public CVE-2008-2540 (Safari Carpet Bombing) here.
We would be happy to answer any questions you have about these bulletins. You can contact us at switech _AT_ microsoft.com. We will also be on the monthly MSRC webcast that describes the bulletins and answers questions live "on air". You can find instructions to attend that webcast on the MSRC blog.
Update April 15: Revised MS09-015 max exploitability index rating to "2". Thanks reader Wandile for pointing out the inconsistency.
- Jonathan Ness, SRD blogger
*Postings are provided "AS IS" with no warranties, and confers no rights.*