Microsoft Fixes 23 Flaws, Including Bug With MSBlast Potential

It isn't the usual "Patch Tuesday" at Microsoft. Rather, it's a record-breaker. Both the number of bugs disclosed and the tally of critical fixes broke previous records.
But he also pointed out that other fixes marked "critical" shouldn't be ignored. "None of them are really 'wait til later,''" he said.

While Windows got the most attention, Microsoft Office was the subject of two bulletins and three vulnerability fixes. PowerPoint was patched by MS06-048, while a critical bug in Visual Basic was plugged by MS06-047. The latter, said Microsoft, could be exploited by crafting a malicious document that supports Visual Basic scripting. Word, Excel, and PowerPoint users are at risk.

On the plus side, said Symantec, up-to-date versions of Office 2003 (SP1 and SP2) are immune.

As with some Office fixes released in June and July, the PowerPoint bulletin also affects Mac users of Office X and Office 2004. Mac patches can be downloaded from Microsoft's Mac-specific site.

August's count of 12 bulletins and 23 patches brought the three-month vulnerability count to a whopping 63, and the bulletin tally to 31, totals that easily broke previous records.

"It's been quite a summer," said Murray, who saw the numbers as a good thing.

"More important than anything else, I think this shows that Microsoft is being more transparent," Murray argued. "In the past, Microsoft would release a couple of bulletins but then patch a bunch of other stuff on the back end without telling us.

"Now they're a lot more transparent. They're showing us everything there is to show."

PatchLink's Andrew saw a different rationale for the glut. "The rate of [vulnerability] discovery is outstripping the rate of patching," Andrew said as he noted that security researchers -- both black hat and white hat -- are increasingly turning to automated tools to help them dig up bugs.

"That results in a backlog of vulnerabilities that need to be fixed," Andrew said.

Users can obtain the month's patches via Windows' Automatic Update, from the Microsoft Update service, or through other software and services the company offers, including Windows Server Update Services (WSUS) and Software Update Services (SUS).

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing