Welcome | Sign In
LinuxInsider.com
Security

On Tap for Patch Tuesday: Three Critical Updates

Print Version
E-Mail Article
Reprints
On Tap for Patch Tuesday: Three Critical Updates

By Katherine Noyes
E-Commerce Times
Part of the ECT News Network
07/09/07 4:00 AM PT

Microsoft will issue six security updates on Tuesday for vulnerabilities in Office, Windows and the .Net framework for running and building and applications. Three are labeled "critical," two are called "important" and one is what the company called "moderate" in importance. Users should make sure they are set to receive the updates as soon as possible, suggested Shane Coursen of Kaspersky Lab.


Microsoft (Nasdaq: MSFT) will release six security updates next week as part of its monthly Patch Tuesday update, the company announced Thursday.

Three of the updates being rolled out on Tuesday have been labeled "critical," two were called "important" and one was named "moderate" in importance. They are for vulnerabilities in Office, Windows and the .Net framework for building and running applications.

An updated Microsoft Windows Malicious Software Removal Tool and several non-security updates dubbed "high priority" will also be released Tuesday, Microsoft said.

Remote Code Executable

All three of the critical updates are to address the potential for remote code execution. One is for Excel, another is for Windows Servers 2000 and 2003, and the last will repair .Net Framework 1.0, 1.1 and 2.0 in all currently supported versions of Windows, including Vista.

Remote code executable vulnerabilities could allow hackers to launch malicious code on an unsuspecting user's computer by sending the user an e-mail with an Excel file attachment with malicious code inside, for example, or by enticing them to click on a link leading to a similar file on a Web site, Amol Sarwate, research manager of the vulnerability research lab at Qualys, told the E-Commerce Times.

Microsoft reveals only limited information about the patches before they are released, but one known Excel public vulnerability, identified in February, causes the application to crash when a malicious spreadsheet is opened, Monty Ijzerman, research team lead for McAfee Avert Labs, told the E-Commerce Times. "That might be among the issues to be patched Tuesday," he noted.

The critical updates will doubtless have a broad impact because of the sheer numbers of people involved. "This Excel vulnerability affects many users, because most companies use that application today," Sarwate said. "The one in Windows Server is something the systems administrators of large corporations should fix immediately."

Reasons Unknown

The two updates labeled "important," meanwhile, address vulnerabilities in Publisher 2007 and Windows XP Professional SP2. Both also involve remote code executable problems but, for reasons as yet unknown, were apparently deemed slightly less severe by Microsoft.

"It must have to do with the exploit vectors, and how easily exploitable the vulnerabilities are," Sarwate explained.

"I'm going to guess it isn't a mistake," added Shane Coursen, senior technical consultant for Kaspersky Lab. "Maybe it's an obscure hack that makes it less than critical."

Of course, for some hackers, the vulnerabilities that are more obscure or difficult to exploit could be the more appealing ones, Coursen told the E-Commerce Times. "As we've seen in the past, those are usually the ones that the real tinkerers, who are curious and seeking to improve what they can do, will try to exploit."

Unique to Vista

Finally, the "moderate" update is for Vista, and marks only the second time a patch has been released that is unique to Microsoft's newest operating system, Sarwate said. It is to address the potential for information disclosure, Coursen added.

The accidental release of confidential information has become a hot topic today as people have become more aware of crimes such as identity theft, Coursen said. "It's especially important for Microsoft and other companies to make sure these bugs are closed up."

Such vulnerabilities are likely to become more numerous in the future, he added, much the way buffer overflow problems were common a few years ago. "We're going to see more of these going forward, and my guess is the malicious malware writers will try to exploit them more often," Coursen said. "This is an important topic to address."

Time-Critical Solutions

Although the number of critical vulnerabilities has increased over the last year, there have actually been fewer hacking successes thanks to increased awareness and Microsoft's new, more stable monthly update procedure, Coursen noted. "Today, the majority of people do update -- that was not the case two or three years ago," he observed.

Nevertheless, time is of the essence, so companies and users should make sure they are set to receive the updates as soon as possible, Coursen stressed.

"The bad guys are really all over this," he explained. "They'll be looking at the patch as soon as it comes out and trying to exploit it, betting that the majority of people won't have updated yet," he warned.

Indeed, "any product out there is likely to be a target," Rob Enderle, president and principal analyst with the Enderle Group, told the E-Commerce Times. "We now live in an environment where patching is a fact of life.

"Luckily, it's getting a lot easier to do," he added. "Office 2007 and Vista were both designed from the ground up to be patched, so a lot of times you don't even have to reboot."

Print Version E-Mail Article Reprints More by Katherine Noyes

Talkback: Be the first to comment on this story.

Related News Alerts

Microsoft Activate Alert | Search Archives

More by Katherine Noyes

Google's New Android Advocate Comes Out Swinging
March 16, 2010
Google's brand-new Android developer advocate, Tim Bray, wasn't afraid to start his first day on the company's payroll by taking some shots at a rival. "A sterile Disney-fied walled garden surrounded by sharp-toothed lawyers" were the words he used to describe Apple's iPhone platform. Bray was most recently employed at Sun Microsystems and is a longtime open source advocate. 		Report: News Media Running Out of Time to Find a New Model
March 15, 2010
News has become a commodity, suggests a new report from the Pew Research Center. Most consumers don't care very much where it comes from, and few are willing to spend money to get it. Furthermore, those who frequent online news sites rarely click on the ads that typically support them. 		North Korea's 'Red Star' Linux, and Is FOSS an Enemy of the State?
March 15, 2010
Linux has become an unlikely political football, with North Korea's totalitarian government embracing it, and the International Intellectual Property Alliance suggesting that the use of open source software in government agencies "denies many legitimate companies access to the government market." So, open source providers aren't legitimate, then?
Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]
Shortcuts
> Get Business and Technology News Alerts
> Most Popular | Spotlight Features | Exclusives
> This Week on ECT News Network | Podcasts
> WiFi Hotspot Locator
> Inside LinuxInsider
LinuxInsider
E-Commerce Times
TechNewsWorld
White Papers | Case Studies | Reports
How do SFDC, AAA, and West Marine optimize their customer experiences?
From Laid-Off to Entrepreneur: Launching a Web Biz on a Shoestring
Entering European Markets: A Challenging but Real Opportunity
Rewriting the Startup Handbook
MacNewsWorld
CRM Buyer
Today's LinuxInsider Sponsors
Secure Your Datacenter
Mitigate risk and maximize the benefits of virtualization. Get the free eBook today.
Data Deposit Box Online Storage
Sign up for a 2 week free trial and start earning recurring revenue today.
ECT News Network Information
Reader Services
Corporate
ECT News Network
Terms of Service | Privacy Policy | How To Advertise
Copyright 1998-2010 ECT News Network, Inc. All Rights Reserved.