Microsoft promises 12 patches next week
Plans to fix Access bug being exploited, may patch IE flaw involved with Safari 'carpet bomb'
Computerworld - Microsoft Corp. today said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista.
Of the 12 updates it sketched out in the advance notification issued this morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking.
"We almost have a baker's dozen," said Andrew Storms, director of security operations at nCircle Network Security Inc. "What struck me was the complete depth of Microsoft software that the updates will touch this month."
As is its practice, Microsoft divulged little information about each update, limiting the disclosure to naming the affected software and spelling out in only general terms the nature of the bugs.
Four of the seven critical updates will patch Office, with three of those aimed at Access, Excel and PowerPoint. Another update, downgraded to important, will patch one or more bugs in Word, the suite's word processor.
The other critical updates will fix unspecified flaws in Windows, IE and Media Player 11, the edition included with Windows Vista.
Microsoft acknowledged that each of the seven critical updates would fix flaws that could be exploited remotely, an indication that they were among the most serious of vulnerabilities, and could potentially be used to hijack PCs.
At least one of the vulnerabilities has already been exploited by hackers. A flaw in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, generated a security advisory a month ago today, when the company warned that criminals were actively tricking users into visiting a malicious Web site in order to compromise their computers.
A week later, Symantec Corp. researchers reported that a popular attack kit had been updated with a Snapshot Viewer exploit, and warned of more attacks.
Storms speculated that the critical IE patch was also required to plug the ActiveX hole. "The bug could be a cross-over to multiple programs," he said, noting that that is often the case in an ActiveX bug.
Microsoft may also be patching IE to quash a bug first reported in 2006, but which returned to the limelight in May when security researcher Aviv Raff claimed that it could be combined with a flaw in Apple Inc.'s Safari. At the end of that month, Microsoft warned users of the blended threat and recommended that people stop using Safari. Apple has since patched Safari and Mozilla Corp. also updated Firefox to stop possible blended attacks using its browser, but Microsoft has yet to fix the flaw.
Of the five bulletins tagged important, two will patch vulnerabilities in Windows, while one each will address issues in Outlook Express and Windows Mail, the Messenger instant messaging client and Word. Ironically, only the newest versions of Windows -- Vista and Server 2008 -- will need to be patched by both Windows-specific updates. Earlier editions, including Windows 2000, Windows XP and Windows Server 2003, will require only one of the pair.
The dozen patches should keep IT administrators busy, but the work will be different, and possibly less stressful, than last month, said Storms, when they had to test and roll out several less-critical updates to server-side software, including a fix for the DNS vulnerability that's been in the news the last month.
"It will be a different kind of work this month," he said. "The potential for downtime is a little less, for one thing. If a single laptop fails because it didn't get its IE patch, that's not so bad as last month, when an Exchange server could have gone down after patching."
The 12 security updates will be posted around 1 p.m. EDT on Aug. 12.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts