Microsoft promises 12 patches next week

Plans to fix Access bug being exploited, may patch IE flaw involved with Safari 'carpet bomb'

Microsoft Thursday said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista.

Of the 12 updates it sketched out in the advance notification issued Thursday morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking.

"We almost have a baker's dozen," said Andrew Storms, director of security operations at nCircle Network Security. "What struck me was the complete depth of Microsoft software that the updates will touch this month."

As is its practice, Microsoft divulged little information about each update, limiting the disclosure to naming the affected software and spelling out in only general terms the nature of the bugs.

Four of the seven critical updates will patch Office, with three of those aimed at Access, Excel and PowerPoint. Another update, downgraded to important, will patch one or more bugs in Word, the suite's word processor.

The other critical updates will fix unspecified flaws in Windows, IE and Media Player 11, the edition included with Windows Vista.

Microsoft acknowledged that each of the seven critical updates would fix flaws that could be exploited remotely, an indication that they were among the most serious of vulnerabilities, and could potentially be used to hijack PCs.

At least one of the vulnerabilities has already been exploited by hackers. A flaw in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, generated a security advisory a month ago Thursday, when the company warned that criminals were actively tricking users into visiting a malicious Web site in order to compromise their computers.

A week later, Symantec researchers reported that a popular attack kit had been updated with a Snapshot Viewer exploit, and warned of more attacks.

Storms speculated that the critical IE patch was also required to plug the ActiveX hole. "The bug could be a cross-over to multiple programs," he said, noting that that is often the case in an ActiveX bug.

Microsoft may also be patching IE to quash a bug first reported in 2006, but which returned to the limelight in May when security researcher Aviv Raff claimed that it could be combined with a flaw in Apple's Safari. At the end of that month, Microsoft warned users of the blended threat and recommended that people stop using Safari. Apple has since patched Safari and Mozilla also updated Firefox to stop possible blended attacks using its browser, but Microsoft has yet to fix the flaw.

Of the five bulletins tagged important, two will patch vulnerabilities in Windows, while one each will address issues in Outlook Express and Windows Mail, the Messenger instant messaging client and Word. Ironically, only the newest versions of Windows -- Vista and Server 2008 -- will need to be patched by both Windows-specific updates. Earlier editions, including Windows 2000, Windows XP and Windows Server 2003, will require only one of the pair.

The dozen patches should keep IT administrators busy, but the work will be different, and possibly less stressful, than last month, said Storms, when they had to test and roll out several less-critical updates to server-side software, including a fix for the DNS vulnerability that's been in the news the last month.

"It will be a different kind of work this month," he said. "The potential for downtime is a little less, for one thing. If a single laptop fails because it didn't get its IE patch, that's not so bad as last month, when an Exchange server could have gone down after patching."

The 12 security updates will be posted on August 12.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Cool Tech

Breitling Superocean Heritage Chronographe 44

Learn more >

SanDisk MicroSDXC™ for Nintendo® Switch™

Learn more >

Toys for Boys

Family Friendly

Panasonic 4K UHD Blu-Ray Player and Full HD Recorder with Netflix - UBT1GL-K

Learn more >

Stocking Stuffer

Razer DeathAdder Expert Ergonomic Gaming Mouse

Learn more >

Christmas Gift Guide

Click for more ›

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?