By Katherine Noyes E-Commerce Times
07/09/07 4:00 AM PT
Microsoft will issue six security updates on Tuesday for vulnerabilities in Office, Windows and the .Net framework for running and building and applications. Three are labeled "critical," two are called "important" and one is what the company called "moderate" in importance. Users should make sure they are set to receive the updates as soon as possible, suggested Shane Coursen of Kaspersky Lab.
Increase Customer Sales with VerticalResponse Email Marketing! Quickly and easily send email newsletters, coupons & sales announcements to your customers – no technical expertise needed. Sign up for your Free Trial today and send 100 emails on us!
Microsoft (Nasdaq: MSFT) will release six security updates next week as part of its monthly Patch Tuesday update, the company announced Thursday.
Three of the updates being rolled out on Tuesday have been labeled "critical," two were called "important" and one was named "moderate" in importance. They are for vulnerabilities in Office, Windows and the .Net framework for building and running applications.
An updated Microsoft Windows Malicious Software Removal Tool and several non-security updates dubbed "high priority" will also be released Tuesday, Microsoft said.
Remote Code Executable
All three of the critical updates are to address the potential for remote code execution. One is for Excel, another is for Windows Servers 2000 and 2003, and the last will repair .Net Framework 1.0, 1.1 and 2.0 in all currently supported versions of Windows, including Vista.
Remote code executable vulnerabilities could allow hackers to launch malicious code on an unsuspecting user's computer by sending the user an e-mail with an Excel file attachment with malicious code inside, for example, or by enticing them to click on a link leading to a similar file on a Web site, Amol Sarwate, research manager of the vulnerability research lab at Qualys, told the E-Commerce Times.
Microsoft reveals only limited information about the patches before they are released, but one known Excel public vulnerability, identified in February, causes the application to crash when a malicious spreadsheet is opened, Monty Ijzerman, research team lead for McAfee Avert Labs, told the E-Commerce Times. "That might be among the issues to be patched Tuesday," he noted.
The critical updates will doubtless have a broad impact because of the sheer numbers of people involved. "This Excel vulnerability affects many users, because most companies use that application today," Sarwate said. "The one in Windows Server is something the systems administrators of large corporations should fix immediately."
Reasons Unknown
The two updates labeled "important," meanwhile, address vulnerabilities in Publisher 2007 and Windows XP Professional SP2. Both also involve remote code executable problems but, for reasons as yet unknown, were apparently deemed slightly less severe by Microsoft.
"It must have to do with the exploit vectors, and how easily exploitable the vulnerabilities are," Sarwate explained.
"I'm going to guess it isn't a mistake," added Shane Coursen, senior technical consultant for Kaspersky Lab. "Maybe it's an obscure hack that makes it less than critical."
Of course, for some hackers, the vulnerabilities that are more obscure or difficult to exploit could be the more appealing ones, Coursen told the E-Commerce Times. "As we've seen in the past, those are usually the ones that the real tinkerers, who are curious and seeking to improve what they can do, will try to exploit."
Unique to Vista
Finally, the "moderate" update is for Vista, and marks only the second time a patch has been released that is unique to Microsoft's newest operating system, Sarwate said. It is to address the potential for information disclosure, Coursen added.
The accidental release of confidential information has become a hot topic today as people have become more aware of crimes such as identity theft, Coursen said. "It's especially important for Microsoft and other companies to make sure these bugs are closed up."
Such vulnerabilities are likely to become more numerous in the future, he added, much the way buffer overflow problems were common a few years ago. "We're going to see more of these going forward, and my guess is the malicious malware writers will try to exploit them more often," Coursen said. "This is an important topic to address."
Time-Critical Solutions
Although the number of critical vulnerabilities has increased over the last year, there have actually been fewer hacking successes thanks to increased awareness and Microsoft's new, more stable monthly update procedure, Coursen noted. "Today, the majority of people do update -- that was not the case two or three years ago," he observed.
Nevertheless, time is of the essence, so companies and users should make sure they are set to receive the updates as soon as possible, Coursen stressed.
"The bad guys are really all over this," he explained. "They'll be looking at the patch as soon as it comes out and trying to exploit it, betting that the majority of people won't have updated yet," he warned.
Indeed, "any product out there is likely to be a target," Rob Enderle, president and principal analyst with the Enderle Group, told the E-Commerce Times. "We now live in an environment where patching is a fact of life.
"Luckily, it's getting a lot easier to do," he added. "Office 2007 and Vista were both designed from the ground up to be patched, so a lot of times you don't even have to reboot."
Beware of Data Dumpster Divers July 07, 2007
Trashing an old PC with sensitive data on the hard drive can be almost as bad as leaving it out on the sidewalk in terms of data security. Even e-recycling programs sometimes don't take proper precautions to ensure the computer leaves its original owner with no private information intact. The best recyclers will erase a PC's hard drive or, better yet, crush it before it moves on to its next destination.
Related Stories
Microsoft Fends Off Zombies, Worms and Bugs With Patch Tuesday May 09, 2007
There were seven advisories labeled "critical" included in Microsoft's latest Patch Tuesday. This month's offerings make it clear that, despite Microsoft's best effort to create software that's bulletproof out of the box, doing so is a very difficult task. As usual, the repairs will be made available through Windows Automatic Updates.
Patch Tuesday Brings Fixes for Critical Windows Flaws April 11, 2007
Microsoft on Tuesday released three fixes to "critical" security-related flaws in the Windows OS and a security update in Microsoft's Content Management Server. "These hacks are becoming more common but it really is a matter of users taking responsibility for keeping their systems updated," Laura DiDio, an analyst with the Yankee Group, told TechNewsWorld.
Microsoft to Take a Pass on Patch Tuesday March 09, 2007
Microsoft isn't talking about why it has decided to omit its monthly distribution of security patches. There are several serious problems awaiting fixes, including five zero-day vulnerabilities. The company might be holding off in order to give IT staff a break as they prepare for the early switch to daylight saving time, suggested Yankee Group analyst Laura DiDio.
Related News Alerts
More by Katherine Noyes
Leaked Emails Fuel Climate-Change Firestorm November 23, 2009
A batch of illegally obtained emails exchanged by climate change researchers supposedly constitutes evidence of a conspiracy among scientists to mislead the public on global warming. An increasingly vocal faction has recently been promoting the view that global warming is a lie, or that it is not as severe as reported, or that human activities are not a major contributor -- or all of the above.
Two-Wheel Linux, and Other Reasons to Be Thankful for FOSS November 23, 2009
Among the many reasons to be thankful for Linux and all that is FOSS are qualities like portability, flexibility, comprehensiveness, a cooperative nature, receptivity to innovation -- oh, and the fact that open source makes such things possible as an electric motorcycle that can tear up the highway at 130 mph.
FOSS and the Google Question November 19, 2009
How FOSSy is Google, really? "I find it kinda funny that folks tout that Google uses Linux when the most useful tool they have developed -- the Google FS -- they keep internally and therefore don't have to share the code!" observed Slashdot blogger hairyfeet. "So how exactly is Google different from MSFT and Apple, who have both in the past locked up free code for themselves?"
Headline Feeds
Talkback: 
