Software // Enterprise Applications
04:29 PM

Microsoft's Mega Batch Of Patches, The Second Largest In 2007

Researchers are calling this a massive bundle of patches, fixing bugs that will affect anyone using Windows.

IT managers and techs may want to reschedule any plans they had for fun in the sun for the rest of the week.

In its monthly Patch Tuesday release, Microsoft issued the second-largest bunch of fixes this year -- patching vulnerabilities that will affect anyone using Windows, according to Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.

Microsoft released nine security bulletins, fixing a total of 14 vulnerabilities. Eight of the bugs are critical; four are rated important, which is the next rung down on the risk scale; and two are rated moderate. The fixes address flaws in Windows, Windows Media Player, Windows Gadgets, Office, Excel, Internet Explorer, Visual Basic, Virtual Sever, and Virtual PC.

"Today was the biggest patch day in the last five or six months," said Sarwate, noting that the patches affect three or four core components. "We haven't seen this many critical patches since February. And we have the largest amount of applications affected. Anyone using Windows will be impacted by this."

Symantec Security Response rated the Cumulative Security Update for Internet Explorer as the most critical since two of the vulnerabilities affect Internet Explorer version 6 and version 7 on Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. A successful exploit, which would most likely be delivered via a malicious Web page, could enable a hacker to remotely install malicious code.

Symantec researchers also noted the vulnerability being patched in the Windows Graphical Device Interface (GDI), which is designed to enable applications to use graphics and formatted text. The bug affects Microsoft Windows 2000, Windows XP, and Server 2003.

The client-side flaw, they reported, is in the GDI graphics rendering engine library. It could be triggered by a malicious Windows Metafile. The bug could be exploited by a malicious Web page or an html e-mail, and it would allow an attacker to install malicious code on the victim machine.

Researchers at McAfee noted that this month's batch of patches highlight a new problem -- using malicious RSS feeds to attack Windows Vista.

One of the nine bulletins released today reported that an attacker could remotely run code on a system if a user subscribes to a malicious RSS feed in the Feed Headlines Gadget or adds a malicious contacts file in the Contacts Gadget or clicks on a malicious link in the Weather Gadget. Microsoft noted that this is an important security update for all supported editions of Windows Vista.

"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," said Dave Marcus, security research at McAfee Avert Labs. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."

Microsoft's other mega batch of patches came in February when the company fixed 20 vulnerabilities with 12 patches.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of September 25, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.