Microsoft set to patch IE, Windows, Office

IDG News Service - Microsoft Corp. is set to release five security patches for its products Tuesday, including a highly anticipated Internet Explorer fix that will address a bug that hackers have been exploiting over the past two weeks. Along with the critical IE patch, Microsoft will repair three other flaws in its Windows operating system, as well as an unspecified problem in Office that is rated "moderate."

Although some had called for Microsoft to release an early version of the IE patch, ahead of its previously scheduled April 11 security updates, that possibility now seems unlikely. "Our test and engineering plan for that update that we began two weeks ago is on track to have that update ready for Tuesday," wrote Stephen Toulouse, security program manager at Microsoft's security response center.

Microsoft releases its security patches on the second Tuesday of every month, a predictable process that makes corporate systems administrators happy. But the schedule has also led some users to download unsupported third-party security updates in between official patch releases from Microsoft.

Prompted by the severity of the IE bug, known as the "create TextRange ()" vulnerability, security vendors eEye Digital Security Inc. and Determina Inc. have already offered free downloads that fix the IE bug. To date, eEye reports more than 100,000 downloads of its software, which is not recommended by Microsoft.

Microsoft has plenty of other browser problems to address in the patches, including a second critical vulnerability that, like the create TextRange () bug, could be exploited by hackers to take over a system. Security researchers have also reported two less-critical IE problems with the browser, including a newly discovered bug that could be used by phishers to trick users into thinking that they are visiting trusted Web sites. More information about the vulnerability is available on Secunia's Web site.

Microsoft has not confirmed that Tuesday's patches will address any of these other IE problems.

It has, however, said that the security fixes will include some ActiveX changes aimed at bringing the company into compliance with a 2003 court decision relating to patents held by Eolas Technologies Inc. and the University of California. These changes will alter the way Internet Explorer works with some multimedia technologies like Flash and QuickTime, and they have forced many Web developers to make changes to their sites.

For corporate users who are not ready for the Eolas changes, Microsoft has said that it will also issue a "compatibility patch," which will undo the changes for about two months.

Microsoft offered few other details on the other security patches expected next week, except to say that some of them will require computers to be restarted.

Reprinted with permission from

IDG.net
Story copyright 2009 International Data Group. All rights reserved.