Update: Microsoft schedules seven patches for next week
It's preparing critical updates for Windows, IE, Outlook Express and Word
Of the seven bulletins expected Oct. 9, four will be rated "critical," Microsoft's highest ranking, while the remainder will be labeled "important," the next-lower rating. What details Microsoft was willing to share prior to the patches' debut were posted to the prepatch notification filed on the company's Web site this morning.
"Looks like a pretty normal advance notification to me," said Andre Protas, director of preview at eEye Digital Security.
Windows will account for three of the seven updates, and one of the four critical fixes. The solitary critical bulletin affects Windows 2000, Windows XP Home SP2 and Windows Server 2003, Microsoft said.
The three remaining critical updates will address one or more vulnerabilities in Outlook Express, the e-mail software bundled with Windows, and Windows Mail, Vista's name for the program; Internet Explorer (IE); and Microsoft Word. Every version of IE will need a patch, according to the affected software section of the notice, including IE 7 on Vista, the edition Microsoft has repeatedly touted as its most secure browser ever.
While all versions of Outlook Express harbor a critical bug, as does Word 2000, the flaws in other flavors of Microsoft's entry-level mail client and word processor were designated as important.
"The Word vulnerability is undoubtedly a file parsing bug," said Andrew Storms, director of security operations at nCircle Network Security Inc., referring to the numerous flaws that Microsoft has patched in Office document formats since January 2006. "And the IE bug shows that Vista's protections are not aiding the browser like Microsoft had hoped.
Three critical vulnerabilities in IE7 have been patched so far this year, excluded those being addressed next week. The most recent was a vector markup language flaw fixed in August.
There are no in-the-wild Outlook Express or Windows Mail vulnerabilities in Danish bug tracker Secunia's database, but Storms hinted that he is familiar with the bug slated to be patched next Tuesday. "I have to take the Fifth," he said when asked if he knew of any vulnerabilities. Both e-mailers were last patched in June, when four holes were plugged in Windows Mail's handling of the MHTML protocol.
Storms was more forthcoming when talking about one of the updates judged important. Tagged only as Bulletin 5 for the moment, it affects Windows Server 2003 and Windows 2000 SP4, but not Windows XP or Vista. "It could be a man-in-the-middle attack," Storms theorized. "Maybe a server-side service is vulnerable, like DNS or DHCP."
- Top 10 Reasons to Strengthen Information Security with Desktop Virtualization Regain control and reduce risk without sacrificing business productivity and growth
- Preventing Sophisticated Attacks: Anti-Evasion & Advanced Evasion Techniques McAfee Next Generation Firewall applies sophisticated analysis techniques specifically to detect advanced evasion techniques (AET).
- The Security Industry's Dirty Little Secret The debate over advanced evasion techniques (AETs) This report summarizes the findings of a McAfee commissioned research group to determine the level of understanding IT security professionals have about AETs...
- Demand More, Get the Most from the Move to a Next-Generation Firewall Beyond the basics in a next generation firewall, to protect your investment you should demand other valuable features: intrusion prevention, contextual rules, advanced...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!