Microsoft promises 12 patches next week
Plans to fix Access bug being exploited, may patch IE flaw involved with Safari 'carpet bomb'
Computerworld - Microsoft Corp. today said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista.
Of the 12 updates it sketched out in the advance notification issued this morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking.
"We almost have a baker's dozen," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What struck me was the complete depth of Microsoft software that the updates will touch this month."
As is its practice, Microsoft divulged little information about each update, limiting the disclosure to naming the affected software and spelling out in only general terms the nature of the bugs.
Four of the seven critical updates will patch Office, with three of those aimed at Access, Excel and PowerPoint. Another update, downgraded to important, will patch one or more bugs in Word, the suite's word processor.
The other critical updates will fix unspecified flaws in Windows, IE and Media Player 11, the edition included with Windows Vista.
Microsoft acknowledged that each of the seven critical updates would fix flaws that could be exploited remotely, an indication that they were among the most serious of vulnerabilities, and could potentially be used to hijack PCs.
At least one of the vulnerabilities has already been exploited by hackers. A flaw in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, generated a security advisory a month ago today, when the company warned that criminals were actively tricking users into visiting a malicious Web site in order to compromise their computers.
A week later, Symantec Corp. researchers reported that a popular attack kit had been updated with a Snapshot Viewer exploit, and warned of more attacks.
Storms speculated that the critical IE patch was also required to plug the ActiveX hole. "The bug could be a cross-over to multiple programs," he said, noting that that is often the case in an ActiveX bug.
Microsoft may also be patching IE to quash a bug first reported in 2006, but which returned to the limelight in May when security researcher Aviv Raff claimed that it could be combined with a flaw in Apple Inc.'s Safari. At the end of that month, Microsoft warned users of the blended threat and recommended that people stop using Safari. Apple has since patched Safari and Mozilla Corp. also updated Firefox to stop possible blended attacks using its browser, but Microsoft has yet to fix the flaw.
Of the five bulletins tagged important, two will patch vulnerabilities in Windows, while one each will address issues in Outlook Express and Windows Mail, the Messenger instant messaging client and Word. Ironically, only the newest versions of Windows -- Vista and Server 2008 -- will need to be patched by both Windows-specific updates. Earlier editions, including Windows 2000, Windows XP and Windows Server 2003, will require only one of the pair.
The dozen patches should keep IT administrators busy, but the work will be different, and possibly less stressful, than last month, said Storms, when they had to test and roll out several less-critical updates to server-side software, including a fix for the DNS vulnerability that's been in the news the last month.
"It will be a different kind of work this month," he said. "The potential for downtime is a little less, for one thing. If a single laptop fails because it didn't get its IE patch, that's not so bad as last month, when an Exchange server could have gone down after patching."
The 12 security updates will be posted around 1 p.m. EDT on Aug. 12.
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Gartner Report: A Guide to Gartner's Enterprise Mobile Security Self-Assessment Gartner introduces a model and a Toolkit intended to help mobility and security IT leaders assess their enterprise mobility programs from a security...
- Gartner Report: Containing Mobile Security Risks With the 80/20 Rule IT planners can deliver better mobile protection with higher user satisfaction by segmenting users into risk groups before committing to specific management or...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts