Update: Microsoft schedules seven patches for next week
It's preparing critical updates for Windows, IE, Outlook Express and Word
Of the seven bulletins expected Oct. 9, four will be rated "critical," Microsoft's highest ranking, while the remainder will be labeled "important," the next-lower rating. What details Microsoft was willing to share prior to the patches' debut were posted to the prepatch notification filed on the company's Web site this morning.
"Looks like a pretty normal advance notification to me," said Andre Protas, director of preview at eEye Digital Security.
Windows will account for three of the seven updates, and one of the four critical fixes. The solitary critical bulletin affects Windows 2000, Windows XP Home SP2 and Windows Server 2003, Microsoft said.
The three remaining critical updates will address one or more vulnerabilities in Outlook Express, the e-mail software bundled with Windows, and Windows Mail, Vista's name for the program; Internet Explorer (IE); and Microsoft Word. Every version of IE will need a patch, according to the affected software section of the notice, including IE 7 on Vista, the edition Microsoft has repeatedly touted as its most secure browser ever.
While all versions of Outlook Express harbor a critical bug, as does Word 2000, the flaws in other flavors of Microsoft's entry-level mail client and word processor were designated as important.
"The Word vulnerability is undoubtedly a file parsing bug," said Andrew Storms, director of security operations at nCircle Network Security Inc., referring to the numerous flaws that Microsoft has patched in Office document formats since January 2006. "And the IE bug shows that Vista's protections are not aiding the browser like Microsoft had hoped.
Three critical vulnerabilities in IE7 have been patched so far this year, excluded those being addressed next week. The most recent was a vector markup language flaw fixed in August.
There are no in-the-wild Outlook Express or Windows Mail vulnerabilities in Danish bug tracker Secunia's database, but Storms hinted that he is familiar with the bug slated to be patched next Tuesday. "I have to take the Fifth," he said when asked if he knew of any vulnerabilities. Both e-mailers were last patched in June, when four holes were plugged in Windows Mail's handling of the MHTML protocol.
Storms was more forthcoming when talking about one of the updates judged important. Tagged only as Bulletin 5 for the moment, it affects Windows Server 2003 and Windows 2000 SP4, but not Windows XP or Vista. "It could be a man-in-the-middle attack," Storms theorized. "Maybe a server-side service is vulnerable, like DNS or DHCP."
- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Neustar 2014 DDoS Attacks and Impact Report For the third consecutive year, Neustar surveyed hundreds of companies on distributed denial of service (DDoS) attacks. The survey reveals evidence that the...
- Acxiom Case Study This case study, which focuses on Acxiom, explores how the company was able to secure employee data, reduce migration costs and boost productivity...
- Windows® XP Migration: Protect and Secure Critical Data With the end of the Microsoft Windows XP operating system's lifecycle on April 8, 2014, businesses are faced with the decision to migrate...
- Enhancing Application Protection and Recovery with a Modern Approach to Snapshot Management This CommVault Business Value and Technology White Paper explains how Simpana IntelliSnap® Recovery Manager can make your application recovery fast and reliable.
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts