Microsoft's Mega Batch Of Patches, The Second Largest In 2007 - InformationWeek
Software // Enterprise Applications
04:29 PM

Microsoft's Mega Batch Of Patches, The Second Largest In 2007

Researchers are calling this a massive bundle of patches, fixing bugs that will affect anyone using Windows.

IT managers and techs may want to reschedule any plans they had for fun in the sun for the rest of the week.

In its monthly Patch Tuesday release, Microsoft issued the second-largest bunch of fixes this year -- patching vulnerabilities that will affect anyone using Windows, according to Amol Sarwate, manager of the Vulnerability Research Lab at Qualys.

Microsoft released nine security bulletins, fixing a total of 14 vulnerabilities. Eight of the bugs are critical; four are rated important, which is the next rung down on the risk scale; and two are rated moderate. The fixes address flaws in Windows, Windows Media Player, Windows Gadgets, Office, Excel, Internet Explorer, Visual Basic, Virtual Sever, and Virtual PC.

"Today was the biggest patch day in the last five or six months," said Sarwate, noting that the patches affect three or four core components. "We haven't seen this many critical patches since February. And we have the largest amount of applications affected. Anyone using Windows will be impacted by this."

Symantec Security Response rated the Cumulative Security Update for Internet Explorer as the most critical since two of the vulnerabilities affect Internet Explorer version 6 and version 7 on Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. A successful exploit, which would most likely be delivered via a malicious Web page, could enable a hacker to remotely install malicious code.

Symantec researchers also noted the vulnerability being patched in the Windows Graphical Device Interface (GDI), which is designed to enable applications to use graphics and formatted text. The bug affects Microsoft Windows 2000, Windows XP, and Server 2003.

The client-side flaw, they reported, is in the GDI graphics rendering engine library. It could be triggered by a malicious Windows Metafile. The bug could be exploited by a malicious Web page or an html e-mail, and it would allow an attacker to install malicious code on the victim machine.

Researchers at McAfee noted that this month's batch of patches highlight a new problem -- using malicious RSS feeds to attack Windows Vista.

One of the nine bulletins released today reported that an attacker could remotely run code on a system if a user subscribes to a malicious RSS feed in the Feed Headlines Gadget or adds a malicious contacts file in the Contacts Gadget or clicks on a malicious link in the Weather Gadget. Microsoft noted that this is an important security update for all supported editions of Windows Vista.

"Many of the vulnerabilities addressed by Microsoft's fixes could be exploited if a Windows user simply visits a malicious Web site," said Dave Marcus, security research at McAfee Avert Labs. "Microsoft's patches again underline the trend of malware writers seeking out the Web browser as a means of attack and reinforce the need of safe browsing habits."

Microsoft's other mega batch of patches came in February when the company fixed 20 vulnerabilities with 12 patches.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll