Microsoft: expect no less than 12 security patches today
August 12, 2008
Microsoft said it will deliver no less than twelve critical security updates today, in an effort to repair security vulnerabilities in Windows, Office, Internet Explorer and the media player bundled with the Vista operating system.
Of the twelve security updates it sketched out in the advance notification issued Aug.7, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking.
Andrew Storms, director of security operations at nCircle Network Security said "what struck me was the complete depth of Microsoft software that the updates will touch today." As is its practice, Microsoft divulged very little information about each update, limiting the disclosure to naming the affected software and spelling out in only general terms the nature of the fixes.
Overall, four of the seven critical updates will repair Office, with three of those aimed at Access, Excel and PowerPoint. Another update, downgraded to important, will patch one or more bugs in Word, the suite's word processor.
However, Microsoft did acknowledge that each of the seven critical updates would fix holes that could be exploited remotely, an indication that they were among the most serious of vulnerabilities, and could potentially be used to hijack Windows computers.
So far, at least one of the vulnerabilities has already been exploited by a few hackers. A hole in the "Snapshot Viewer" Active-X control, which is bundled with the Access database generated a security advisory in July, when Microsoft warned that criminals were actively tricking users into visiting a malicious Web site in order to compromise their Windows machines.
The other critical security updates will repair unspecified holes in the Windows operating system itself, Internet Explorer and Media Player version 11, the edition included with Windows Vista.
Recently, Symantec researchers reported that a popular attack kit had been updated with a Snapshot Viewer exploit, and warned of more attacks in the near future...
Storms speculated that the critical IE patch was also required to plug the Active-X flaw. "The bug could be a cross-over to multiple programs," he said, noting that that is often the case in an ActiveX flaw.
Of the five bulletins tagged as important, two will patch vulnerabilities in Windows, while one each will address issues in Outlook Express and Windows Mail, the Messenger instant messaging client and Word.
Ironically, only the newest versions of Windows -- Vista and Server 2008 -- will need to be patched by both Windows-specific updates. Earlier editions, including Windows 2000, Windows XP and Windows Server 2003, will require only one of the pair. This is considered as "strange and unusual" by some in the security industry.
Microsoft may also be patching IE to quash a bug first reported more than two years ago, but which returned to the limelight a few months ago when security researcher Aviv Raff claimed that it could be combined with a security hole in Apple's Safari browser.
On May 30, Microsoft warned users of the blended threat and recommended that people stop using Safari. Apple has since patched Safari and Mozilla Corp. also updated Firefox to stop possible blended attacks using its browser, but Microsoft has yet to fix that security hole.
"It will be a different kind of patching today... The potential for downtime is a little less, for one thing. If a single laptop fails because it didn't get its IE patch, that's not so bad as last month, when a whole Microsoft Exchange e-mail server could have gone down completely after patching," said Storms.
The twelve patches should keep IT administrators busy today. However, the work will be somewhat different and possibly less stressful than the patching in July said Storms, when they had to test and roll out several less-critical updates to server-side software, including a fix for the DNS vulnerability that's been in the news in the past few weeks.
As is usually the case with most monthly 'Patching Tuesdays', the twelve security updates will be posted today on the Microsoft update site at 1 PM EDT.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing