Microsoft Releases New Batch of Patches for Critical Flaws

Microsoft (Nasdaq: MSFT) has released new patches that address vulnerabilities in Internet Explorer, MS Office, Windows XP and Server 2003 -- six of which were deemed critical.

Among the more worrisome flaws was one that affected the way Microsoft's Malware Protection Engine scans PDF (portable format documents) files, which could affect a wide range of Microsoft security products, Minoo Hamilton, senior vulnerability researcher for nCircle, told TechNewsWorld.

Microsoft released a fix for the scanning engine, which can be found in Windows Live OneCare and Windows Defender.

"Microsoft's continuing investment in security is starting to pay off," Hamilton said.

Important vs. Critical

Many of the other patches fix problems that could give a remote attacker control of the computer, Randy Abrams, director of technical education at ESET, told TechNewsWorld. "They are very serious vulnerabilities."

Microsoft users should download all of the patches no matter how they are rated by Microsoft, he advised.

"Generally, an 'important' rating on a Microsoft bulletin means that the vulnerability won't exploit itself -- a user has to interact in the manner they normally would," he said. "There are some exceptions, but in most cases important updates should be treated as critical updates. Typically, the difference is in Microsoft PR and not in a significant real-world impact."

Some of the vulnerabilities were zero-day exploits, noted Gary Morse, president of Razorpoint Security Technologies. "Usually a vulnerability will get announced, and by the time the exploit code starts making the rounds, a fix is also available," he told TechNewsWorld.

"Zero-day exploits leave customers particularly vulnerable because there are no official patches yet available from the manufacturer," he added.

The larger trend to note, nCircle's Hamilton said, is a decline in serious vulnerabilities. Many of the current batch of patches address vulnerabilities reported privately by security researchers. "That demonstrates that Microsoft is working better with the community -- or perhaps the community is getting better at reporting problems to Microsoft," he commented.

Whither Vista?

Windows Vista is not directly affected by any of the vulnerabilities, but the Internet security community jumped on the fact that Windows Defender is used with the new OS.

"The fact that Windows Defender is installed on Vista by default means that Microsoft's security software has put Vista users at risk," ESET's Abrams asserted.

Vista has the potential to offer better security than XP, but that does not mean it will not have vulnerabilities, he continued. "Vista should have fewer vulnerabilities than XP due to a better design process; however, vulnerabilities in Vista are to be expected, just as with any operating system."

A full evaluation of Vista's security won't be practical until more users have deployed the system, however.

"Malware for Vista won't start showing up until more people are using it," David Perry, Trend Micro's (Nasdaq: TMIC) global director of education, told TechNewsWorld. "Right now, Mac OS X has a larger user base than Vista."

Third-Party Vectors

Another potential avenue of exposure for Vista users, according to Max Caceres, director of product management for Core Security, are the third-party applications that use it. "Some of these apps don't take advantage of new security features," he told TechNewsWorld. "The end users are not necessarily aware of this, and they are assuming they are getting all of the security features in Vista."

Last week, Core Security reported that by exploiting a previously known vulnerability in CA's BrightStor ARCserve Backup, a third-party application that runs on Vista, an attacker could remotely compromise and take over a target machine.

Microsoft's patch release demonstrates the maturation of the OS platform vendors, as well as their willingness to take responsibility for their security issues and provide remediation and protection to their customers, Devin Anderson, security business line manager for LANDesk Software, told TechNewsWorld. "But this has shifted the vulnerability and attack focus to the applications. It is critical to have a patch management product that goes beyond rolling out Microsoft patches and OS patches."