Microsoft issues six patches

Microsoft issued six security updates as part of its monthly, Patch Tuesday schedule, patching 11 vulnerabilities and rating three as critical.

The vendor said the critical updates would fix bugs in many different versions of Microsoft products including Office, Excel, Windows XP, and .NET. Two important and one moderate patches have also been released to address vulnerabilities in Office, Publisher and Windows Vista.

Alan Bentley, managing director of patch management software maker, PatchLink for Europe, Middle East and Africa said the .NET development framework features in the most important patch this month.

"It has the potential to affect every application running on every operating system that Microsoft is actively supporting today. The sheer impact this vulnerability could have, if exploited, means organisations should apply this patch immediately," said Bentley.

But he added: "The .NET vulnerability is not the only vulnerability that needs urgent attention this month. Given that Excel is implicitly trusted by Internet Explorer, worms and other exploits coming through the web have the potential to propagate the Microsoft Excel vulnerability (MS07-036) without user action - placing the onus on IT administrators to fix this vulnerability quickly."

Even Microsoft Vista doesn't go unnoticed this month, as there are two vulnerabilities Bentley says could affect Vista - the .NET vulnerability (MS07-040), as well as the Vista patch deemed "moderate" (MS07-038). He urged organisations that have adopted Vista in their IT environments to keep a close eye on these patches.

"IT administrators must take a look at the Office vulnerabilities, as the framework and application layer will continue to be where most of the vulnerabilities will be found as threats move up the application stack from the traditional operating system," he added.

Online criminals have used flaws in Excel and other Microsoft Office products in limited attacks over the past year. The attacker will typically send the victim an email containing a maliciously encoded Office attachment. If the document is opened, unauthorised software is installed that allows the hacker then gains access to the victim's computer.

But the last of three patches rated critical (MS07-039) also addresses a pair of bugs in Active Directory in Windows 2000 Server and Windows Server 2003. The most dangerous of the two is a vulnerability in the way Active Directory validates a Lightweight Directory Access Protocol (LDAP) request. Microsoft said: "An attacker who successfully exploited this vulnerability could take complete control of an affected system."

Email to a friend

Print this page

Social Bookmark this article: What is this?

Digg

Delicious

Reddit

StumbleUpon

Slashdot

Google

Facebook