Valentine's heralds another 'Super Patch Tuesday'

gallery

Microsoft has issued eleven new security bulletins as part of bumper 'Patch Tuesday' update, containing a total of 17 vulnerabilities, 10 of which are rated as critical.

The vendor had warned of a large update as part of its monthly security patching cycle in a preview bulletin issued last week. But its bulletin late yesterday contained one less update than had been expected, affecting critical VBScript and JScript flaws in Windows 2000, XP and Windows Server 2003.

Nevertheless, it is the largest number in one month that Microsoft has issued since last August's twelve update 'Super Patch Tuesday,' prompting security analysts like Lumenison's regional vice president Alan Bentley to herald a busy time ahead for administrators.

He said: "Microsoft promised a busy Patch Tuesday this month and it has delivered one, making it essential for IT administrators to prioritise this flurry of patches."

Bentley said the bulletins MS08-010 addressing both Internet Explorer (IE) 6 and 7, and MS08-008, 009, 012 and 013 affecting Office present the most worry and must be addressed first as they could allow a hacker to execute code remotely on an unpatched PC.

"The widespread use of these applications makes these vulnerabilities a prime target for hackers," he said. "Attackers have shown in recent years that they'd rather target applications than go directly for the throat of the operating system, placing further pressure on businesses to address the Office and IE vulnerabilities."

MS08-010 fixes a publicly disclosed ActiveX bug that affects Visual FoxPro users. But the affected ActiveX control is not part of the default list of controls in IE and so should not affect most users.

"With all of the critical flaws allowing remote code execution and many not requiring end user consent, the potential for malware, botnets and rootkits is rampant," added Bentley.

MS08-007 update fixes a critical flaw in the Windows XP and Vista WebDAV web-based document sharing protocol redirector software and is rated important for Windows Server 2003 users.

In addition to critical fixes for Microsoft Word, Office Publisher and in Office itself, there is also a critical update for Windows' Object Linking and Embedding (OLE) Automation software.

The other updates, rated important, are for the Vista TCP/IP stack, Active Directory, the Microsoft Works file converter and two flaws in the Internet Information Services (IIS) web server.

Ben Greenbaum, Symantec Security Response senior research manager, added: "These vulnerabilities underscore the importance of having a full security suite to protect consumers and enterprises from being exploited since they can no longer only rely on traditional best practices alone, such as avoiding unknown or unexpected email attachments or following web links from unknown sources."

Email to a friend

Print this page