On Tap for Patch Tuesday: Three Critical Updates

Microsoft will release six security updates next week as part of its monthly Patch Tuesday update, the company announced Thursday.

Three of the updates being rolled out on Tuesday have been labeled “critical,” two were called “important” and one was named “moderate” in importance. They are for vulnerabilities in Office, Windows and the .Net framework for building and running applications.

An updated Microsoft Windows Malicious Software Removal Tool and several non-security updates dubbed “high priority” will also be released Tuesday, Microsoft said.

Remote Code Executable

All three of the critical updates are to address the potential for remote code execution. One is for Excel, another is for Windows Servers 2000 and 2003, and the last will repair .Net Framework 1.0, 1.1 and 2.0 in all currently supported versions of Windows, including Vista.

Remote code executable vulnerabilities could allow hackers to launch malicious code on an unsuspecting user’s computer by sending the user an e-mail with an Excel file attachment with malicious code inside, for example, or by enticing them to click on a link leading to a similar file on a Web site, Amol Sarwate, research manager of the vulnerability research lab at Qualys, told the E-Commerce Times.

Microsoft reveals only limited information about the patches before they are released, but one known Excel public vulnerability, identified in February, causes the application to crash when a malicious spreadsheet is opened, Monty Ijzerman, research team lead for McAfee Avert Labs, told the E-Commerce Times. “That might be among the issues to be patched Tuesday,” he noted.

The critical updates will doubtless have a broad impact because of the sheer numbers of people involved. “This Excel vulnerability affects many users, because most companies use that application today,” Sarwate said. “The one in Windows Server is something the systems administrators of large corporations should fix immediately.”

Reasons Unknown

The two updates labeled “important,” meanwhile, address vulnerabilities in Publisher 2007 and Windows XP Professional SP2. Both also involve remote code executable problems but, for reasons as yet unknown, were apparently deemed slightly less severe by Microsoft.

“It must have to do with the exploit vectors, and how easily exploitable the vulnerabilities are,” Sarwate explained.

“I’m going to guess it isn’t a mistake,” added Shane Coursen, senior technical consultant for Kaspersky Lab. “Maybe it’s an obscure hack that makes it less than critical.”

Of course, for some hackers, the vulnerabilities that are more obscure or difficult to exploit could be the more appealing ones, Coursen told the E-Commerce Times. “As we’ve seen in the past, those are usually the ones that the real tinkerers, who are curious and seeking to improve what they can do, will try to exploit.”

Unique to Vista

Finally, the “moderate” update is for Vista, and marks only the second time a patch has been released that is unique to Microsoft’s newest operating system, Sarwate said. It is to address the potential for information disclosure, Coursen added.

The accidental release of confidential information has become a hot topic today as people have become more aware of crimes such as identity theft, Coursen said. “It’s especially important for Microsoft and other companies to make sure these bugs are closed up.”

Such vulnerabilities are likely to become more numerous in the future, he added, much the way buffer overflow problems were common a few years ago. “We’re going to see more of these going forward, and my guess is the malicious malware writers will try to exploit them more often,” Coursen said. “This is an important topic to address.”

Time-Critical Solutions

Although the number of critical vulnerabilities has increased over the last year, there have actually been fewer hacking successes thanks to increased awareness and Microsoft’s new, more stable monthly update procedure, Coursen noted. “Today, the majority of people do update — that was not the case two or three years ago,” he observed.

Nevertheless, time is of the essence, so companies and users should make sure they are set to receive the updates as soon as possible, Coursen stressed.

“The bad guys are really all over this,” he explained. “They’ll be looking at the patch as soon as it comes out and trying to exploit it, betting that the majority of people won’t have updated yet,” he warned.

Indeed, “any product out there is likely to be a target,” Rob Enderle, president and principal analyst with the Enderle Group, told the E-Commerce Times. “We now live in an environment where patching is a fact of life.

“Luckily, it’s getting a lot easier to do,” he added. “Office 2007 and Vista were both designed from the ground up to be patched, so a lot of times you don’t even have to reboot.”