Update: Microsoft schedules seven patches for next week
It's preparing critical updates for Windows, IE, Outlook Express and Word
Of the seven bulletins expected Oct. 9, four will be rated "critical," Microsoft's highest ranking, while the remainder will be labeled "important," the next-lower rating. What details Microsoft was willing to share prior to the patches' debut were posted to the prepatch notification filed on the company's Web site this morning.
"Looks like a pretty normal advance notification to me," said Andre Protas, director of preview at eEye Digital Security.
Windows will account for three of the seven updates, and one of the four critical fixes. The solitary critical bulletin affects Windows 2000, Windows XP Home SP2 and Windows Server 2003, Microsoft said.
The three remaining critical updates will address one or more vulnerabilities in Outlook Express, the e-mail software bundled with Windows, and Windows Mail, Vista's name for the program; Internet Explorer (IE); and Microsoft Word. Every version of IE will need a patch, according to the affected software section of the notice, including IE 7 on Vista, the edition Microsoft has repeatedly touted as its most secure browser ever.
While all versions of Outlook Express harbor a critical bug, as does Word 2000, the flaws in other flavors of Microsoft's entry-level mail client and word processor were designated as important.
"The Word vulnerability is undoubtedly a file parsing bug," said Andrew Storms, director of security operations at nCircle Network Security Inc., referring to the numerous flaws that Microsoft has patched in Office document formats since January 2006. "And the IE bug shows that Vista's protections are not aiding the browser like Microsoft had hoped.
Three critical vulnerabilities in IE7 have been patched so far this year, excluded those being addressed next week. The most recent was a vector markup language flaw fixed in August.
There are no in-the-wild Outlook Express or Windows Mail vulnerabilities in Danish bug tracker Secunia's database, but Storms hinted that he is familiar with the bug slated to be patched next Tuesday. "I have to take the Fifth," he said when asked if he knew of any vulnerabilities. Both e-mailers were last patched in June, when four holes were plugged in Windows Mail's handling of the MHTML protocol.
Storms was more forthcoming when talking about one of the updates judged important. Tagged only as Bulletin 5 for the moment, it affects Windows Server 2003 and Windows 2000 SP4, but not Windows XP or Vista. "It could be a man-in-the-middle attack," Storms theorized. "Maybe a server-side service is vulnerable, like DNS or DHCP."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts