Microsoft plans critical patches for IE, Exchange
Also schedules Tuesday fix for 10-month-old SQL Server bug
Computerworld - Microsoft Corp. today said it will deliver four security updates on Tuesday, two of them pegged "critical," and will finally issue a patch for SQL Server that it's been working on since last April.
The four updates detailed in the advance notice published today will quash bugs in Internet Explorer 7 (IE7); its Exchange mail server software; the Visio application that's part of the Office lineup; and SQL Server. The IE and Exchange vulnerabilities will be labeled critical, the company's highest threat ranking, while the SQL Server and Visio bugs will be marked as "important," one step lower.
Microsoft will release the updates on Feb. 10.
The SQL Server update will fix the vulnerability Microsoft acknowledged in late December 2008, said Andrew Storms, director of security operations at nCircle Network Security Inc. "I did a lineup between the advisory with the affected versions of SQL Server," he said Thursday morning. "It's almost a one-for-one match."
That bug is notable for several reasons. When Micosoft confirmed the vulnerability in a Dec. 22 advisory, it noted that exploit code had been published. Several days later, the company admitted that it first received a report on the bug from Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, in April 2008.
Mueller disclosed the bug in early December after he grew tired of Microsoft's silence; he claimed that the company failed to return numerous messages in the two months prior when he asked for an update on the patch's progress.
Some security analysts had expected Microsoft to act faster. In late December, for example, Wolfgang Kandek, chief technology officer at security company Qualys Inc., predicted that Microsoft would deliver a fix "out of band," a term used when patches are issued outside Microsoft's normal once-a-month schedule.
"Three of these are all equally important, at least with the information we have today," Storms said about the IE, Exchange and SQL Server patches. "It all depends on an enterprise's infrastructure."
Companies are always sensitive to Exchange fixes, Storms continued, so the critical fix set for Exchange Server 2000, 2003 and 2007 will be parsed carefully. "Messaging is so important to the enterprise," Storms said, "that they'll want to spend a little extra time making sure the patch works." One plus, he said, is a "Does not require restart" note by Microsoft in today's bulletin.
"That could mean it's not necessarily a giant hole, or that we're just going to get lucky," said Storms. Because they won't have to restart their Exchange servers, IT administrators should be able to deploy the patch more quickly, he said.
"The IE vulnerability has to be something unique to IE7," wagered Storms. According to Microsoft, the critical vulnerability affects only that version of the browser, not IE6 or IE5.01, the latter edition specific to Windows 2000, and the oldest browser that the company still supports with security updates. Storms hesitated to guess what IE7-only issue might be patched. "It could be any number of things," he said. "Could be scripting or the antiphishing filter."
Microsoft's advance notice reported that the IE7 bug will be rated critical for both Windows XP and Windows Vista, but only "moderate" on Server 2003 and Server 2008.
Microsoft will release February's four updates at approximately 1 p.m. EST Tuesday.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts