Microsoft to issue seven security updates June 10
June 6, 2008
Late yesterday, Microsoft said it would issue seven critical security updates next Tuesday, three of which are deemed very critical, in order to patch Windows components including versions 6 and 7 of Internet Explorer.
Andrew Storms, director of security operations at nCircle said Microsoft will also disable a vulnerable third-party program. "Maybe this is a new trend by Microsoft, issuing kill bit updates to mitigate risks," said Storms, referring to one of the seven updates. "Kill bit" is the term Microsoft uses to describe setting a flag in the Windows registry that disables a specific Active-X control.
Microsoft regularly advises users to set the kill bit in lieu of a formal patch for a control that may harbor a potential security hole.
Two months ago, Microsoft issued a kill bit update for an Active-X control distributed by Yahoo for its Yahoo Music Jukebox. At the time, Microsoft said it would lock down other vendors' software at their request by releasing fixes through Windows Update.
"If Microsoft was patching one of its own ActiveX controls, I would think it would say it's fixing something in 'ActiveX,' but because it's labeled this as 'kill bit,' it leads me to think that it involves a third-party," said Storms.
As mentioned earlier, Microsoft rated three of these seven security updates "critical," its highest threat ranking, while three are tagged "important," one step lower, and the seventh -- the kill bit update -- was marked as "moderate."
The critical updates will patch Bluetooth, DirectX and Internet Explorer in Windows, according to the pre-patch notification Microsoft issued late yesterday.
It's unlikely, however, that the IE update will address the vulnerability that Microsoft warned users about last week, said Storms. "It could," he offered, "but I don't think it would have something this quick." That security bug, when combined with a flaw in Apple Inc.'s Safari Web browser, leaves users open to attack, Microsoft said in a security advisory issued last Friday.
The seven-update list is one of the most diverse and interesting in a long time. It runs the gamut as far as the distribution of where they are in the operating system and software. The only thing we're missing is a vulnerability check for Excel or Outlook and we'd have one for everything that Microsoft makes."
Storms also called out the Bluetooth update as noteworthy. "A lot of people will be looking at this one too," he said. "Does the vulnerability carry over into the mobile side, or is it only around the desktop?" Bluetooth vulnerabilities, Storms added, are rare and often resemble the "man-in-the-middle" security bugs that are sometimes exploited in 802.11-based wireless scenarios.
The patch will fix IE6 and IE7 running in all supported editions of Windows, including Windows 2000, XP, Server 2003, Vista and Server 2008. Microsoft has pegged the IE fixes in the client operating systems as critical, but only as moderate on the server side.
Two updates -- one for Windows Internet Name Service (WINS) and the other for Active Directory -- affect only server software. While Microsoft rated both as important, Storms said enterprises may think differently. "Active Directory is such a critical core component. Large enterprises will certainly need to roll out these two, and it will take them some time, because of the testing they'll need to do."
The seven security updates will be posted on Microsoft's site Tuesday, June 10 at around 1 p.m. EST.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing