Microsoft issues biggest patch update in a year
Fixes 17 vulnerabilities in Windows, Office, IE and more
February 12, 2008 12:00 PM ETComputerworld - Microsoft Corp. today rolled out 11 security updates that patch 17 vulnerabilities in Windows, Office, Internet Explorer, Internet Information Server (IIS) and several other components and technologies.
It was the most patch bulletins Microsoft's has issued since February 2007, even though it yanked one expected update -- scheduled last week to fix problems in VBScript and JScript -- at the last minute. Five of the 11 were ranked "critical," Microsoft's highest rating in its four-step threat-scoring system. The others were pegged as "important," the second-highest rating.
The sheer volume of flaws and fixes -- added to the already large number of updates cranked out over the past two weeks by other vendors, including Apple Inc. and Adobe Systems Inc. -- is what struck Andrew Storms, director of security operations at nCircle Network Security Inc.
"The volume of the last week is something no security team can staff for," said Storms, referring to a wave of vulnerability disclosures and patches by developers of some of the Web's most popular applications, including Adobe Reader, Apple's QuickTime and Skype Ltd.'s flagship VoIP client. All have been plagued with, and patched, one or more bugs in the past week.
"It's almost the worst case possible," Storms said. "There's so much firefighting going on that it comes down to deciding what risks are the most prevalent, and what can be mitigated without patching or fixing so that people can get to some of the hotter topics."
Storms recommended that organizations first tackle the three Office-related bulletins in today's Microsoft release before jumping back to the Reader update from last week to ensure that all copies of that popular PDF viewer have been patched. One of the Reader bugs has been exploited for at least several weeks.
MS08-009, MS08-012 and MS08-013 patched flaws in Microsoft Word, in Microsoft Publisher and in Office overall, respectively. Another bulletin, MS08-011, fixed a vulnerability in Microsoft Works, the company's lowest-priced, entry-level suite. Because MS08-011 plugs a hole in Works' file converter, however, it also puts users of Office 2003, including the most recent service pack, SP3, at risk.
Other bulletins addressed problems in IE, Active Directory, Windows Vista's implementation of TCP/IP, IIS, Windows' WebDAV technology and Windows' use of OLE automation.
"It's interesting that we're still seeing the client side's [vulnerabilities] as more critical than the server side," noted Storms, when asked to pass judgment on the patch day as a whole. "That's a complete flip from five years ago. Take MS08-003 as an example. It's in Active Directory, which is at the core of the enterprise. But it's only labeled 'important' because you need valid log-in credentials to exploit it." He also pointed to the two IIS-related bulletins as examples of old-school problems that affect servers but pose less of a threat.
Microsoft
Additional Resources



Learn the important issues you must consider before starting your next mobility initiative. Get your mobility white paper from IDC now, compliments of Sybase.
White Papers & Webcasts
Share our Strength
Download Now
Lower the Cost and Complexity of a Mobile Workforce through Automation
Download This Resource Now!
Top 10 Things to Know about Data Protection
Download Now
Managing Mobility: Improve Data Security, Compliance and Manageability
Download This Resource Now!
Managing Secure File Transfer to Save Time, Money and IT Resources
Learn how companies are using innovative technology to overcome these challenges and improve user productivity by offloading e-mail attachments and replacing FTP with...
Ponemon Study: The Business Risk of a Lost Laptop
Download Now
Security Convergence Equals Network Security Cost Savings
Listen to IBM Internet Security Systems' take on network security convergence.
Airport Insecurity: The Case of Lost Laptops
Download Now
Disaster Recovery 2008: Reduced Costs and Improved Performance
How long can your Enterprise afford to be without your data? With an accelerated disaster recovery program, you never have to answer this...
