Microsoft cooks up five patches for next week
On the list for fixes: Windows, Messenger, SharePoint, Visual Studio and Unix service
Computerworld - Microsoft Corp. today said it will release five security updates next Tuesday -- about half as many as it issued last month -- targeting flaws in Windows, SharePoint, Visual Studio and Microsoft's instant messaging clients.
Of the five bulletins expected Sept. 11, only one will be labeled "critical," Microsoft's highest rating, although of the remaining four -- all ranked "important" -- two could result in remote code execution if successfully exploited. Details were spelled out in the prepatch notification that Microsoft posted Thursday morning.
Windows will be pegged by two of the updates, including the single critical patch, which is slated to fix one or more unspecified vulnerabilities in Windows 2000 SP4. The other update will plug one or more flaws in Windows Services for UNIX (SFU), which is present in all versions of Microsoft's operating system, including Vista. The Microsoft-produced SFU is a collection of components that make it possible for Windows and Unix systems to talk to each other. Mixed operating system shops, for instance, install SFU so that Windows PCs can map to Unix NFS network shares.
Other updates are set to plug holes in SharePoint Services 3.0 on Windows Server 2003, Visual Studio through Version 2005 SP1 and the MSN Messenger/Live Messenger Versions 6.2, 7.0, 7.5 and 8.0.
Windows Vista, which has been hammered by updates of late -- last month, five of nine security bulletins affected Vista -- will be patched by only one of the five September fixes.
As is customary, Microsoft gave only partial details of the upcoming updates, making it difficult to predict the specific vulnerabilities being patched. Danish vulnerability tracker Secunia, for example, shows no unpatched problems for either SFU or SharePoint Services. However, Secunia's database does list outstanding vulnerabilities in Visual Studio, which sports a still-unpatched bug from January 2006; Windows 2000; and the MSN and Live Messenger clients.
The Messenger update will likely patch the webcam vulnerability reported late last month on a Chinese-language security mailing list. According to an advisory issued Aug. 28 by US-CERT (the U.S. Computer Emergency Response Team), all versions but the latest are susceptible to attack via a heap overflow bug through a purposefully malformed webcam session. Exploit code was also publicly posted in August.
At the time, US-CERT recommended users upgrade immediately to Windows Live Messenger 8.1, which was not affected by the bug.
Assuming Microsoft releases all five updates -- occasionally it drops one at the last minute -- users will have faced 55 bulletins through the first nine months of 2007, the same number as during the January-September stretch last year.
Microsoft posts updates on the second Tuesday of each month between 1 p.m. and 3 p.m. EDT.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts