Microsoft issued a record number of fixes tagged "critical" in its latest Patch Tuesday release. The software giant issued 10 security bulletins to patch vulnerabilities in Windows, Office and .Net. Six of the bulletins were rated "critical," including one that patches a much-hyped Microsoft Word vulnerability and another that seals a PowerPoint hole.
Microsoft (Nasdaq: MSFT) on Tuesday addressed 26 vulnerabilities in its monthly cycle of security patch releases, marking the software giant's largest Patch Tuesday this year.
Microsoft issued 10 security bulletins to patch vulnerabilities in Windows, Office and .Net. Six of the bulletins were rated "critical," a record number since the company implemented its Patch Tuesday process. One update was ranked "important," two judged "moderate" and three rated as "low" risk.
"Among the 26 vulnerabilities being patched, 15 are rated critical by Microsoft, and 16 target applications. This continues the trend toward applications-based malware and application targeted vulnerabilities," said Monty Ijzerman, senior manager of the Global Threat Group for McAfee Avert Labs.
"The majority of the six critical patches ... address vulnerabilities that require user interaction to exploit, a trend that has been prevalent in the last several release. However, there is one vulnerability that enables remote exploit in the server service, which provides support for file and print sharing, essentially the function that allows users to permit access to their local resources," Amol Sarwate, director of the vulnerability research lab at Qualys, told TechNewsWorld.
Office accounted for 62 percent of the vulnerabilities in this cycle. Eighty-six percent of those were marked critical. Four critical Office patches are perfect fodder for a new round of viruses, according to nCircle IT Director Andrew Storms.
"This is a big impact for major enterprises that haven't yet deployed Service Pack 2. In addition to all of the patches released that need to be tested and deployed this month, enterprises on XP Service Pack 1 will also need to evaluate the level of risk associated with moving to SP2, reprioritize based on this risk level and then reevaluate their patch prioritization. This has huge implications for the enterprise IT teams," Storms noted.
Reviewing Recommendations
McAfee recommends that security administrators pay special attention to the MS06-057 vulnerability in the Windows shell because it is remotely exploitable by an anonymous user. This vulnerability has a critical rating and has been widely exploited in so-called "drive-by installs" and "drive-by download" attacks through Internet Explorer.
Qualys also advises organizations to pay special attention to MS06-057 and patch systems accordingly, as the server service is a feature that is turned on by default on Windows systems.
Print Version
E-Mail Article
Reprints
More by Jennifer LeClaire
Next Article in Security
|
The False Promise of Browser Security October 11, 2006 
All Web browsers are insecure to some degree, because they all must work with flawed code in the operating systems. There are some indications of progress, such as frequent patches from Microsoft and Mozilla to close security holes. Still, these actions may be too little too late if a zero-day exploit is the attack weapon.
|
Related Stories
|
HP, Apple Have Passion, Microsoft's Got Security, VIA Goes Green October 09, 2006 
The phrase "Microsoft security" may remind us of oxymorons like "military intelligence" and "jumbo shrimp." However, after a massive amount of screaming, Microsoft did, eventually, come up with some security improvements and as a result, Vista should be the most secure Microsoft platform yet.
|
Microsoft Issues Out-of-Cycle Patch for Critical IE Flaw September 27, 2006 
Microsoft issued a security patch Tuesday to fix a zero-day vulnerability in its Internet Explorer browser. A flaw in IE's vector markup language component could allow an attacker to take over control of a system without any user interaction. Microsoft confirmed the exploit last week and rushed to issue the out-of-cycle patch -- MS06-055 -- after it discovered a public attack leveraging the vulnerability.
|
Related News Alerts
More by Jennifer LeClaire
|
The Digital Car: Cool Automotive Accessories, Part 2 January 16, 2007 
Not all the latest high-tech automotive electronics are built to entertain. Many give the driver more information and more control. Vehicle tracking devices can tell where the car is at any time, software installed in a smartphone can turn off a vehicle's security system whenever the owner approaches, and diagnostic tools can tell what's wrong with the engine -- and how much it'll be to fix it.
|
'World of Warcraft' Wows 8 Million Subscribers January 12, 2007 
"World of Warcraft," the massively multiplayer online role-playing game, has reached the 8 million subscriber mark. Since debuting in North America in Nov. 2004, "World of Warcraft" has become the most popular MMORPG in the world. The franchise is available in seven different languages and is played on at least four continents.
|
AT&T Bids Goodbye to Cingular Brand January 12, 2007 
Starting Monday, AT&T will launch a multimedia campaign to transition the Cingular Wireless brand name into its advertising and customer communications. The campaign will integrate popular imagery, phrases and icons from Cingular's traditional advertising, including the "raising the bar" tagline, the "Jack" character and the color orange.
|
Get Business and Technology News Alerts
Most Popular | Spotlight Features | Exclusives
This Week on ECT News Network | Podcasts
Online Retail Transaction Performance Indices
Inside E-Commerce Times
Headline Feeds
Talkback: 
