Microsoft plays Scrooge with security updates

gallery

Microsoft yesterday published a total of eight security patches for December, six of which were given its highest ‘critical’ security rating.

But the bulletin patches a total of 28 vulnerabilities, marking the busiest month for Microsoft system security administrators since the software giant introduced its regular, monthly security bulletins on the second Tuesday of every month five years ago.

The six marked critical addressed 23 of the vulnerabilities in the update, leading Andrew Clarke, senior International vice president for security vendor Lumension to urge organisations to take immediate action to address them.

“While it may be tempting to avoid restarting servers and systems especially during this busy time of year, it is imperative that all IT professionals pay particular attention to the critical updates and patch as quickly as business conditions permit,” he added.

Four of the critical updates tackle vulnerabilities in the Windows operating system (OS), Word and Excel and require reboots to systems and servers. Clarke warned this would add a degree of complexity and disruption to network productivity.

Drilling further into the Windows OS flaws, some affect all shipping versions of Windows platform, while others affect only Windows Vista and Windows Server 2008, including an eight-month-old privilege escalation vulnerability in XP, Vista, 2003 and 2008 that has exploit code reportedly available in the wild.

Clarke said that, used in combination with a vulnerability that could allow remote code execution, this breach could effectively allow criminals to run exploits at a higher level of privilege, potentially making this a much more serious issue.

And MS08-071 – addressing two critical vulnerabilities – updates the core graphics rendering component of Windows, its Graphics Device Interface (GDI) to prevent hackers creating malicious Windows Metafile (WMF) images. As part of the core Windows Kernel, the GDI flaw will be pervasive to all versions of Windows.

An Internet Explorer (IE) update (MS08-073) also ranked highly on most security researchers’ priority lists also as affects all commonly deployed versions of the web browsing software, including IE7, dealing with four critical flaws that could allow a hacker to execute malicious code on unpatched systems remotely.

Clarke also called out the Word bulletin (MS08-072) as it could impact Outlook 2007 commonly used by many enterprises. “In particular, it could pose challenges for organisations that use Microsoft Word as the Outlook email editor,” he said. “If exploits appear that attack this vulnerability, we recommend disabling Word as the Outlook email editor until your organisation has deployed the upcoming patch.”

Other products patched include Microsoft Office, SharePoint, Windows Media, and its popular development tools, Visual Basic and Visual Studio.

Email to a friend

Print this page