MS Patch Tuesday: 12 bulletins, 6 critical, 20 vulnerabilities

MS Patch Tuesday: 12 bulletins, 6 critical, 20 vulnerabilities

Summary: Microsoft's Patch Tuesday train rumbled into security central with a full load today: 12 bulletins with patches for at least 20 vulnerabilities in a wide range of widely used software products.

SHARE:
26
Microsoft's Patch Tuesday train rumbled into security central with a full load today: 12 bulletins with patches for at least 20 vulnerabilities in a wide range of widely used software products.

Six of the 12 bulletins are rated "critical," Redmond's highest severity rating.

As expected, there are fixes for gaping holes in the Microsoft Office desktop productivity suite but it is not immediately clear if all the flaws exploited in the recent zero-day attacks are covered.

The biggest batch is contained in MS07-014, which covers six different vulnerabilities in Microsoft Word. The Information and Communication Security Technology Center in Taiwan is credited with reporting two of the six Word bugs to Microsoft, suggesting that a government agency or business in Taiwan might have been the target of the attacks.

Four of the 12 bulletins deal with holes in Office applications -- Access, Excel, FrontPage, Outlook, PowerPoint, Publisher and Word. A separate update (MS07-015) covers two different bugs in Excel and PowerPoint.

There's also a "critical" fix (MS07-016) for the dominant Internet Explorer browser to cover a trio of PC takeover flaws if a user simply browses to a malicious Web page. Uberhacker HD Moore of BreakingPoint Systems is credited with reporting five class identifiers documented in one of IE vulnerabilities.

Another critical update, MS07-009, is also flagged as a high-priority issue because public proof-of-concept exploits are already available. This patch covers a bug in MDAC (Microsoft Data Access Components) that could be exploited via Internet Explorer. "The ADODB.Connection ActiveX control included in MDAC could, if passed unexpected data, cause Internet Explorer to fail in a way that could allow code execution," according to the alert.

The critical MS07-010 update is also a big black eye for Microsoft. It covers a remote code execution hole that affects all the security products that use the Malware Protection Engine. Affected software include Windows Live OneCare, Microsoft Antigen 9.x, Microsoft Windows Defender, Microsoft ForeFront Security for Microsoft Exchange Server 1.x, and Microsoft ForeFront Security for SharePoint Server 1.x.

A successful exploit will completely compromise the affected computer.

Home users can download the patches from the Automatic Updates mechanism built into Windows. Patches also also be downloaded from Microsoft Update or Windows Update.

Security and reliability fixes for Microsoft Office can be downloaded from the Microsoft Office site.

Topics: Browser, Microsoft, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

26 comments
Log in or register to join the discussion
  • Oh what a tangled web we weave......

    When first we practice the art of greed.


    How long have we been waiting for some of these updates? Months?
    I'm not saying that any platform is perfect in any way, shape, or form. Because everything has flaws. But this seems excessive.
    There are some who would say that MS was just taking their time to make sure that their patches worked properly. I say BS to that one. Mainly because there have been updates many times in the past that broke more than they fixed and they weren't "rushed".
    MS is in a d@mned if you do and d@mned if you don't situation. And they have no one but themselves to blame. A product that used to be cutting edge is now mediocre at best when people take the time to research what else is out there. And there in lies the problem. People don't like to take the time.
    I'm not saying that no one shuld use MS because it works great for some people. But if MS continues down the road that they are on with way that they do things they are going to run out of pavement.
    Shelendrea
    • Be lucky

      Be lucky they're doing them ... and that they're free. If slimeballs who had nothing better to do than probe and poke for tiny holes and cracks, just to rip them into exploits for gain (i.e. notoriety or extortion) would just go away, this would hardly be a problem. Unfortunately the world doesn't work that way, so everybody suffers ... you, me and even the makers of the programs or platforms who have to waste so much time on this stuff.

      Yeah yeah I know, if they would just write perfect code to begin with. Like all those other human perfections I know of!
      klumper
      • Lucky eh, hate to take you to the race track

        Take a think on this, MS, the most well paid software producer should not be flamed nor excused for their software but they should be damned well ashamed for the amount they charge for it. There are a lot of OS's out there that are a lot more secure, irregardless of security issues, Microsoft could easily afford to include OneCare as well as a lot more with Vista. Instead they want you to pay them $ 49 for insecure software that is supposed to make a "secure OS" secure. Are you getting any of this ? If I stood in the middle of a Nebraska cornfield and killed everything in sight without doubt, you'd say United States was lucky to have me protect the country from killer bees. Now, let's get real, if it appears to be .... and smells like ...t, please don't tell me I should feel lucky and buy it as the MS is making a lot of money by over pricing their software. Say whatever you like, Microsoft gives nothing more than it can and exploits us whenever it can, in whatever way it can. This is not a bash but forget about being lucky that they provide updates as every OS I can think of does the same thing and charges a lot less for their OS. Example : Xandros Professional retails for less and you can install it on as many personal computers that you own as well as 1 business computer which means 1 license, I fee and it all comes with Antivirus, Adware and File Protection that MS calls OneCare which is not secure even after you've paid for it. MS Office is not free either, so let's not get silly about how lucky we all are to have MS give free updates for an OS that is over priced and lacking.
        intrepi@...
  • Just waiting for the Vista patches to start flowing out...

    [b][/b]
    B.O.F.H.
    • The last isn't Vista?

      These, particularly the last, don't apply to Vista? Is it really too early to start
      patching the early cracks in the latest? Perhaps they just don't want to make the
      flaws too obvious just yet. Apple hasn't had much happening by way of security
      fixes for some time now. Not that there's nothing to patch, but possibly because
      it's so hard to get past the user who's preventing the bugs from getting a toe-nail
      in. Just because there are flaws does not mean a patch is needed ... yet.

      DLMeyer - the Voice of [url=http://glhorton.podomatic.com] [b]G.L.Horton's Stage
      Page[/b][/url]
      dlmeyer9
      • Windows 7 is what Vista should have been.

        But we will see as Vista SP1 comes out within 6 months.
        B.O.F.H.
        • lol - as if

          As if anyone, inlcluding Bill Gates himself, knows what Windows 7 will actually be...
          shraven
  • more patches now that silly Bill Gates taunted

    hackers to attack vista because it, in his not so humble opinion, is totally safe! Hehe, that sort of behaviour, given the track record of his products would have me not buying his stuff, and sending around the mental health team.

    No doubt the breakdowns will affect MS users more then his mighty bank balance- but there you go. MS users should be really happy in the knowledge they are in fact buying something very cheap!
    hirez
  • Patch Brought Local Net To Knees...

    This patch was so big it brought my local area cable Internet service to its knees when everybody's computer started trying to download the update at the same time. The effective outage lasted over 30 minutes, during which time only "parasitic" Yahoo Messenger stayed active (and it went into low bandwidth mode -- no ads). MS might want to slice the next big one into two or more batches.
    KTHernandez
    • Or your ISP might want to start installing some transparent caches

      Or your ISP might want to start installing some transparent caches. That way they only download it once to the DSLAM.
      georgeou
    • hmm

      if any patch is enough to bring down the node of a local cable company, I have to wonder about that cable company...perhaps they should subdivide that node into 2 or 3 or 4?

      perhaps it wasn't actually the patch that did it?
      xiaodre
  • Patch Stories Should Say which Version of Windows is being patched

    With Vista the new "official" version of Windows for a full 2 weeks now, lol, (and a number of problems already reported, as expected with any new, huge OS like this), when I saw this headline, I figured these were patches for Vista, or possibly a combination of patches for Vista and XP...

    But NOWHERE in the story was there ANY indication of the related OS. I consider that a MAJOR oversight from this point forward until XP updates and patches become more or less a thing of the past. Since I haven't yet done my Vista upgrade, at first I didn't think any of this applied to me. Since I have only the Student-Teacher edition of MS Office, most of them STILL don't, but I have to assume some of them do, and I'm guessing I'll have lots of updates coming my way tonight or in the morning.

    Please be a little more clear in the future, ZDNet... you usually do a better job than this!
    Jeff Hayes
    • Info on patches and versions

      Try
      http://reviews.cnet.com/4531-10921_7-6693689.html?tag=nl.e724
      misceng
  • Kudos to all the workers

    Whether you love or hate MS, I extend kudos to the hundreds and thousands of programmers who's job it is to fix the seemingly unending number of exploits. That part of MS deserves credit for trying to make the computing public more secure. It must be hard to maintain morale, and acknowledging their effort, regardless of the cause, should not be something we all ignore.

    Slam management, past decisions, all the management side as much as you want, but don't forget the folks in the lab trying their hardest to plug a security hole and not break everything in the process.

    TripleII
    TripleII-21189418044173169409978279405827
  • And the saga continues ,,,

    Be honestly Shelendrea , wasn't this the patch , that was supposed to fix the last patch , that was supposedly going to fix the last issue ? There were problems to BEGIN with , were their not ? Stay Tuned into the Batcaves will you folks , this is going to GET juicy ,,,


    "In a world without walls and fences , who needs windows and gates."



    P.S.


    Were back
    Intellihence
  • Wasn't it broken to begin with ? <NT>

    No Text


    E O S

    End Of Story
    Intellihence
  • Whatever the case this is rubbish ,,,

    Jus laying low here & watching for the next new wave of problems .

    Thanx MS !:^\ . Like we need more features/problems ,,,
    Intellihence
  • Same tired bashers... Boring

    You would thing these whiny types would select something they like better and go on with getting their work done.
    No_Ax_to_Grind
    • Same Old Rabble From A Senile Old Man

      Go back to your padded room grandpa.
      itanalyst
  • To the Unix people

    Word-of -Mouth! As the only (retired) lanscaper to visit here, I will assume the
    posture of Joe Sixpak, and Joe sez; "People won't buy things they don't know
    exist."
    Nor use freeware they don't know is available. I came here because Windows had
    security issues. I learned here all about Linux and OSX .Before, I only knew about
    Windows! And I seem to be the ONLY ONE ever to do so! No other Non- Tech has
    ever posted here that I know of. My point is that you are basically PREACHING TO
    THE CHOIR! Even the "Windows Zealots" already know most of what you are
    saying. Surely this will be much the same throughout the Technical News
    communities.
    The people not being reached are the people who most need the information. I
    don't want to sound too preachy, but talking CAN make a difference! As a Proud
    Young Lady once told me; "If you've got something to sell, advertise!" .Tech-to-
    tech is great for informing other techs. To inform others, you must talk to those
    others, and no-one is going to spring for TV airtime. That leaves it up to you. I
    try, but I'm a landscaper! Who listens to old hole-diggers for technical
    information? You are in a better position, I think.
    s_gamgee