Microsoft to patch four bugs on Tuesday
Look for fixes for flawed Jet Database Engine, Word and all anti-virus products
Computerworld - Microsoft today said it plan to post four security updates next week, three of them "critical," to patch Windows, Word, Publisher and all of the company's anti-malware applications.
Among the critical fixes will be one that quashes bugs in Microsoft's Jet Database Engine that go back as far as 2005. The other critical patches will close holes in Microsoft's word processor and desktop publishing programs.
"Finally, the expected fix for Jet," said Andrew Storms, director of security operations at nCircle.
Seven weeks ago, Microsoft rang an alarm over critical vulnerabilities in Jet Database Engine, a Windows component that provides data access to applications such as Microsoft Access and Visual Basic. The company posted a security advisory on March 22 that acknowledged "public reports of very limited, targeted attacks" using Word documents that triggered the Jet Database bug.
Several days later, Microsoft's security team admitted it had known of the Jet Database bugs for more than two years, but had not patched the problems because it thought it had blocked the obvious attack vectors. In a post to the Microsoft Security Response Center (MSRC) blog, Mike Reavey, the group's operations manager, said it might replace the version of Jet in Windows 2000, XP and Server 2003 SP1 to fix the flaws.
The Jet Database Engine included in Windows Vista, Windows Server 2003 SP2 and the just-released Windows XP SP3 is not vulnerable to the attacks, and doesn't require replacement.
According to Microsoft's prepatch notification, which it issued Thursday, Microsoft will swap out the buggy Jet in Windows 2000, XP SP2 and Server 2003 SP1.
It also appears that Microsoft will fix Word to shut down that attack vector, said nCircle's Storms. "I have a strong feeling that they're patching both ends of the problem," he said. "They're covering all the bases, which is the right thing to do."
The single non-critical patch slated for release is a fix marked "important" by Microsoft that will affect the company's consumer and enterprise anti-malware products. The patch will address what Microsoft called a denial-of-service issue in Antigen, Forefront Security, Windows Live OneCare and Windows Defender.
Storms said that the bug is likely minor. "Given that it's a denial-of-service, it's probably one of those things like a specially-crafted Zip file that makes the scanning engine chug and chug and chug," he said. "It's probably not a big deal." It would be a different story, he said, if Microsoft had said that the vulnerability could crash the security software. If that were the case, he added, attackers might be able to inject malicious code onto a vulnerable system.
All in all, it looks like a lighter Patch Tuesday -- the name some give to the second Tuesday of the month, when Microsoft regularly issues security updates -- than last month. "I think it will probably be an easy week," Storms said.
The four security updates will be posted on Tuesday around 1 p.m. EST. If Microsoft issues all of the expected updates, it will have released 29 through the first five months of 2008, the same number it unveiled through May of last year.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts