Researcher: Microsoft may launch 'month of ATL' patches on Tuesday
Advance notice offers clues Microsoft will update software hit by deep dev bug
Computerworld - Microsoft today said it would deliver nine security updates next Tuesday, all but one affecting Windows. Five are pegged "critical," the company's highest threat rating.
One researcher speculated that most of the updates will tackle bugs introduced when a Microsoft programmer added an extra "&" character to a vital code library.
Of the nine updates previewed today in the monthly advance notification, eight affect various versions of Windows, while the ninth deals with vulnerabilities in Office, Visual Studio, Internet Security and Acceleration Server (ISA Server), BizTalk Server and other products.
One of the eight Windows updates also affects what the bulletin dubbed "Client for Mac," and which Microsoft later confirmed refers to Remote Desktop Connection Client for Mac, software that lets Mac users connect to Windows-based machines.
In addition to the five critical updates, four are marked "important," the next rating down in the company's four-step scoring system.
"It won't be a go-take-a-nap month," said Andrew Storms, director of security operations at nCircle Network Security. "The good thing is that we're not looking at a lot [of vulnerabilities] in the public domain, so that should give everyone some time, a week or two at least, to test the updates before they deploy them."
One of the nine bulletins, however, appears to address the only unsolved issue Microsoft has publicly acknowledged: one or more flaws in its Microsoft Office Web Components (OWC). "The outstanding bug we know [exists] they disclosed July 13," Storms said. "And Bulletin 1 today is the only one that affects the Office Web Components. I'd say that Microsoft's on track to patch that this month."
Last month, Microsoft issued a security advisory related to OWC, saying that hackers were already exploiting an unpatched, critical vulnerability in a company-made ActiveX control, putting people running Internet Explorer (IE) at risk. The flawed ActiveX control is used by IE to display Excel spreadsheets in the browser.
Microsoft's advisory went out the day before its regularly-scheduled July batch of security updates; most analysts had not expected to see a fix make the July slate.
Storms' bet that Bulletin 1 will patch the problem seems safe. At the time it issued the advisory, Microsoft warned that users running Office XP, Office 2003, ISA 2004, ISA 2006 and Office Small Business Accounting 2006 were vulnerable to attack through IE. Today, Microsoft called out all those programs, as well as several others, as affected by the expected update.
It's also possible that several of the bulletins outlined today will update Microsoft software that previously contained flaws inherited from a buggy code library, said Storms.
- Enable secure remote access to 3D data without sacrificing visual perfomance Design and manufacturing companies must adapt quickly to the demands of an increasingly global and competitive economy. To speed time to market for...
- Virtually Delivered High Performance 3D Graphics "A picture is worth a thousand words." That old phrase is as true today as it ever was. Pictures (i.e., those with heavy...
- Best Practices for Securing Hadoop Historically, Apache Hadoop has provided limited security capabilities. To protect sensitive data being stored and analyzed in Hadoop, security architects should use a...
- Top Tips for Securing Big Data Environments: Why Big Data Doesn't Have to Mean Big Security Challenges Organizations must come to terms with the security challenges they introduce. As big data environments ingest more data, organizations will face significant risks...
- What should I look for in a Next Generation Firewall? SANS Provides Guidance With so many vendors claiming to have a Next Generation Firewall (NGFW), it can be difficult to tell what makes each one different....
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!