Microsoft fixes nine Office and Windows bugs

gallery

Microsoft has released six security updates as part of its monthly patching cycle, fixing critical flaws in a number of key products.

The 'Patch Tuesday' updates released yesterday fix nine bugs in products including Word, Outlook Express and Internet Explorer (IE) and the Kodak image viewer bundled with Windows. Out of these, four were rated 'critical,' while 'important' fixes also related to Windows SharePoint collaboration software and Windows remote procedure call (RPC) protocol.

Among security experts, the general consensus is that the Word vulnerability the patches address should a priority. A Microsoft security programme manager said in a blog that this is because, although the issue has not been publicly disclosed, the vendor was aware of a "very limited and targeted number of attacks". The flaw can allow a hacker to get unsuspecting users to open Word documents.

The Windows RPC flaw is significant for the fact that, although the flaw cannot allow unauthorised software to run on a victim's PC, attacks targeting this execution protocol through denial of service attacks (DoS) have been used in the past as the source for some of the most damaging computer worms, like 2003's Blaster.

The IE patch fixes four bugs in the Microsoft browser and are rated critical given the fact that they affect core operating system (OS) files and their likelihood in being used as in internet-based attacks.

Alan Bentley, regional vice president of Lumension (formerly PatchLink) felt the IE bugs should also be a priority for administrators. "If you were to only adopt one patch this month, this is it," he said.

"Organisations and consumers alike should focus on [the cumulative update] given the pervasiveness of IE. The reality of the vulnerability is that you may think you've left a site, but to all intents and purposes you remain on that site.

He also said the DoS vulnerability rated as 'important' has the potential to enable hackers to cripple internet-facing Microsoft servers. "Any organisation with externally facing Microsoft web servers should take a very close look at the MS07-058 bulletin."

Microsoft released one less patch than it had originally planned, according to its pre-Patch Tuesday release schedule outlined last Thursday. An unidentified flaw in Windows 2000 and Windows Server 2003 that could be used for 'spoofing' was withdrawn because of 'quality control issues' according to the vendor.

Nevertheless, Lumension's Bentley said that although the release of four critical patches would attract most attention, he also pointed to Sun as another vendor releasing a slew of patches this week, which means "IT administrators cannot just stop at updating Microsoft".

Email to a friend

Print this page