Microsoft Corp. last week slated seven security updates for release next Tuesday that target vulnerabilities in Windows, Internet Explorer, Outlook Express, Word and SharePoint.
Of the seven bulletins expected Oct. 9, four will be rated "critical," Microsoft's highest ranking, while the remainder will be labeled "important," the next-lower rating. What details Microsoft was willing to share prior to the patches' debut were posted to the prepatch notification filed on the company's Web site this morning.
"Looks like a pretty normal advance notification to me," said Andre Protas, director of preview at eEye Digital Security.
Windows will account for three of the seven updates, and one of the four critical fixes. The solitary critical bulletin affects Windows 2000, Windows XP Home SP2 and Windows Server 2003, Microsoft said.
The three remaining critical updates will address one or more vulnerabilities in Outlook Express, the e-mail software bundled with Windows, and Windows Mail, Vista's name for the program; Internet Explorer (IE); and Microsoft Word. Every version of IE will need a patch, according to the affected software section of the notice, including IE 7 on Vista, the edition Microsoft has repeatedly touted as its most secure browser ever.
While all versions of Outlook Express harbor a critical bug, as does Word 2000, the flaws in other flavors of Microsoft's entry-level mail client and word processor were designated as important.
"The Word vulnerability is undoubtedly a file parsing bug," said Andrew Storms, director of security operations at nCircle Network Security Inc., referring to the numerous flaws that Microsoft has patched in Office document formats since January 2006. "And the IE bug shows that Vista's protections are not aiding the browser like Microsoft had hoped.
Three critical vulnerabilities in IE7 have been patched so far this year, excluded those being addressed next week. The most recent was a vector markup language flaw fixed in August.
There are no in-the-wild Outlook Express or Windows Mail vulnerabilities in Danish bug tracker Secunia's database, but Storms hinted that he is familiar with the bug slated to be patched next Tuesday. "I have to take the Fifth," he said when asked if he knew of any vulnerabilities. Both e-mailers were last patched in June, when four holes were plugged in Windows Mail's handling of the MHTML protocol.
Storms was more forthcoming when talking about one of the updates judged important. Tagged only as Bulletin 5 for the moment, it affects Windows Server 2003 and Windows 2000 SP4, but not Windows XP or Vista. "It could be a man-in-the-middle attack," Storms theorized. "Maybe a server-side service is vulnerable, like DNS or DHCP."
He also remarked on the description Microsoft pinned to the bulletin; under Impact of Vulnerability, it listed Spoofing. "I don't remember seeing that before," he said. "That might be a good sign, that Microsoft is getting better at categorizing threats."
All versions of Outlook Express harbor a critical bug, as does Word 2000, but the flaws in other flavors of Microsoft's entry-level mail client and word processor were designated as important.
Windows will also get two out of the three important updates on Tuesday, with SharePoint Services 3.0 receiving the third. The SharePoint fix was originally scheduled to have been released last month, but at the last minute, Microsoft yanked that one without an explanation.
Assuming Microsoft releases all seven bulletins, users will have dealt with 61 updates so far this year, four fewer than same period in 2006.
No comments:
Post a Comment