Software // Enterprise Applications
News
10/9/2007
05:29 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Microsoft Patches Critical IE Flaws And Windows Vista Holes

Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply clicks a malicious Web link.

Microsoft on Tuesday released six security bulletins, half of which have an effect on Windows Vista.

"Three of the bulletins impact Vista," said Eric Schultze, chief security architect, of St. Paul, Minn.-based Shavlik Technologies. "That's not a really good track record for an operating system that Microsoft thought was going to secure the world."

Pointing to Windows Vista patches this month and in previous months, Schultze said, "I don't think Vista has had quite the impact that Microsoft hoped it would in staving off the need to patch your OS."

Of the six security updates published Tuesday, four are rated "critical" and two are rated "important." "This is a little larger this month than average," said Schultze. "Obviously, the big news goes toward bulletin 057, which is for Internet Explorer. The Internet Explorer patch goes toward addressing a lot of previously known public vulnerabilities. So you'll want to patch the IE issue pretty quickly for all of your Internet browsing machines."

"Today's Microsoft patches emphasize the need for proactive browser protection and the risk of surfing the Web unprotected," said Dave Marcus, security research and communications manager at McAfee Avert Labs, in an e-mailed statement. "Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply clicks a malicious Web link, a favorite attack method among cybercriminals. Users need to be more careful than ever when surfing the Internet."

Though bulletin 058 is only rated "important" -- the "critical" designation is typically reserved for flaws that allow remote code execution -- Schultze nonetheless said the IE fix should be dealt with immediately.

"The other big one that I think it really critical to do is bulletin 058, which Microsoft calls the RPC denial of service," said Schultze, who explained that it could be used to conduct denial of service attacks. "This one will be really critical for network administrators and corporations to protect all of their assets on their internal network... from disgruntled employees."

Schultze said there is no exploit currently circulating for this bug but he expects there will be one within a week.

The other critical bulletins address flaws in Kodak Image Viewer, Outlook Express and Windows Mail, and Microsoft Word that could allow remote code execution. Bulletin 059, rated "important," addresses a vulnerability found that impacts Windows SharePoint Services 3.0 and Office SharePoint Server 2007.

Microsoft had expected to release seven updates Tuesday, as stated last Thursday through its Advance Notification Service (ANS).

Tami Gallupe, Microsoft Security Response Center release manager, explained in a blog post, "As previously communicated, the ANS is always subject to change. We decided to remove one of the updates from the release schedule due to a quality control issue, so we can resolve that issue prior to releasing the update to customers."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 18, 2014
Enterprise social network success starts and ends with integration. Here's how to finally make collaboration click.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.