On deck: Critical Windows, Office, IE patches

On deck: Critical Windows, Office, IE patches

Summary: Microsoft plans to ship nine security bulletins next Tuesday with patches for a wide range of "critical" vulnerabilities affecting the Windows operating system, the Microsoft Office productivity suite and the widely deployed Internet Explorer browser.

SHARE:
33

Critical Windows, Office, IE patches comingMicrosoft plans to ship nine security bulletins next Tuesday with patches for a wide range of "critical" vulnerabilities affecting the Windows operating system, the Microsoft Office productivity suite and the widely deployed Internet Explorer browser.

In an advance notice alert issued today, the software maker said six of the nine bulletins will carry the highest severity rating while the remaining three will be rated "important."

The bare bones details, via the MSRC, points to:

  • Six bulletins affecting Microsoft Windows with a maximum severity rating of critical. These updates will require a restart and will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.
  • One bulletin affecting Microsoft Office with a maximum severity rating of critical. These updates will not require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
  • One bulletin affecting Microsoft Office and Microsoft Windows with a maximum severity rating of critical. This update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer.
  • One bulletin affecting Microsoft Virtual PC and Microsoft Virtual Server with a maximums everity rating of important. This update will require a restart and will be detectable using the Microsoft Baseline Security Analyzer and the Enterprise Scan Tool.

The Windows Media Player and the Windows Vista operating system are also affected by this batch of updates.

Topics: Windows, Browser, Microsoft

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

33 comments
Log in or register to join the discussion
  • Cool, good to see them on top of things.

    Like it or not, regardless of the OS and apps you use, patchs will always be with us.
    No_Ax_to_Grind
  • Wonder if they fixed this one.

    "If you are running Windows Vista Sidebar Gadgets, they are subject to cross-site scripting style bugs. These bugs are extremely serious because script in the Sidebar is capable of running arbitrary code in the context of the locally logged-on user."

    Directly from MS.
    No_Ax_to_Grind
    • Why do you care, Axey?

      After all, you have nothing good to say about Vista and are not running it, right?
      Confused by religion
      • Yes and no...

        I still have to fire Vista up for testing.

        But basically you are right, its not a big issue for "me".
        No_Ax_to_Grind
    • It assumes you only use gadgets you trust.

      When you open a gadget from, say, the Internet (e.g. the online gadget gallery), it warns you to only install gadgets that you trust. If you choose to proceed, any problems in the gadget are your fault. It's not like a web site, where you can just stumble upon a malicious page.

      As for "...script in the Sidebar is capable of running arbitrary code...", I'm not sure about that. They can instantiate arbitrary ActiveX controls on your computer, but gadgets don't contain any binary code themselves, so I don't think they can run arbitrary *code*. However, if one of the ActiveX controls it used had a bug that allowed code execution, then yes that would run in the context of the user. Just like in IE (pre-Vista). Making Sidebar use protected mode may be a good idea at some point.
      PB_z
  • Backwards security model.

    This attitude is what Bruce Schneier talks about in his article "E-Voting Certification Gets Security Completely Backward" here : http://www.wired.com/politics/security/commentary/securitymatters/2007/08/securitymatters_0809

    "Oh trust us, our system is very secure" till the next hacker coming along rips so many holes in it.

    The pity is that people have become so accustomed to this ridiculous attitude we take security holes for granted.

    I only wish microsoft were also in the aircraft manufacturing business, they would have been sued into oblivion for the next six generations.
    kraterz
    • Do you realize

      That all other OSes have as many bugs as Windows, it's only that Microsoft, for whatever reason, is held to a higher standard. Can you show me in the last few years that Linux and Apple did not have more bugs than Windows? Please feel free to point me to this information, then maybe I can take your post with some amount of sincerity and credibility. You do realize that zdnet and all other IT media outfits print every fix Windows has, right? You don't see every fix for linux, but they are happening all of the time. Any linux distro or product...esp. Firefox is getting patched constantly. <br>
      Try subscribing to any independent vulnerability reporting organization and find out for yourself. <br>
      Your comments about being sued....so you mean Apple with teh unusually high number of patches this year should be sued? Or only Microsoft? Apple has outpaced Vista's need for patches this year by a very wide margin, but only Microsoft is accountable? Firefox has outpaced IE in vulnerabilities this year as well....should the lawyers be converging on Mozilla and their products that are equally buggy?
      xuniL_z
      • I Don't understand your post.

        I've used many Linux distro's for almost 3 years. I install it and I'm done until I want try something different (on my own terms). I don't check for any problems, I don't install AV or spyware protection, I don't install a firewall, I don't restrict websites for my family, I don't activate it, I don't have to re-activate it, I don't deal with WGA, I don't deal with DRM, I don't deal with problems - period. Where are you getting this information? I have 7 times more experience with Windows (since 3.1) and you don't want to hear about about what my experiences with it over the last 20 or so years.
        Joe.Smetona
        • I don't understand you.

          You don't take the weekly (or close to it) security updates? Isn't that foolish?
          <br>
          Say what you want, i can tell you are one who will only say it one way only, but who is targeting your obscure Linux distro? <br>
          Are you saying you didn't notice how the only open source project on linux so far has been plauged with flaws? Firefox? And version 3.0, from the horses mouths, it bloated and buggy. too much Google code in it I suppose. In any case, when FF gained significant marketshare, they found they had many holes we were led to believe didn't exist. So I say it's the same with your linux distro. There is not doubt it's vulnerable, just who's written code to exploit it....probably nobody. <br>
          When an OS has vunlnerabilities, which linux has as many reported as windows, that means they can be exploited. No ifs ands or buts. If they don't get hit, the ONLY possible reason is nobody wrote code to exploit it during the window of time it was unpatched. Simple as that. Windows is constantly targeted by the full force of hackers worldwide. Many are terrroists targeting "America's" OS, many are people that don't like Microsoft for one reason or another. <br>
          but the bottom line is all OSes are exploitable. They are equally insecure. In fact, Linux is probably more insecure than Vista. but they are just not yet being exploited. <br>
          I'd rather use Windows whihc has multiple killer apps and still is a much better all around home user product than any Linux OS going. They are getting closer but still are not there yet. It won't be too much longer, but for now Windows is the best OS you can get in terms of usability and security combined. <br>
          Glad you don't mind recompiling a lot.
          <br>
          As for my "personal" experiences, i've used Windows since version 3.0 and have never ever, not once had a problem with malware or virus of anykind. Solid as a rock. I've got to the point i don't run AV software on XP and still no issues.
          <br>
          you can tell me your windows horror stories all you want, but it only pays homage to the fact that Windows has been 90+ of the market for the last 20 years of your experience and the target of everyone who has ever tried to hack a system. Not perfect software, but then there is no perfect software, even though linux and Mac users like you to think their OS is perfect. <br>
          xuniL_z
          • Reply

            Not True
            There are intrinsic differences in the way they are made.

            Convince the Windows HTML control that you're in the trusted zone, and you can do anything you want.

            That's why Linux is so secure. (Google runs on Linux, ZDNet runs on Linux & Apache). i don't know of any plans of Google or ZDNet to dump Linux and go to MS.

            To quote a previous and succinct reply from a ZDNet post:

            "A remote code execution vulnerability results from the way local or UNC navigation requests are handled in Windows Mail. An attacker could exploit the vulnerability by constructing a specially crafted e-mail message that could potentially allow execution of code from a local file or UNC path if a user clicked on a link in the e-mail message. An attacker who successfully exploited this vulnerability could take complete control of an affected system."

            Security zones again. Microsoft created this flaw in 1997, and until they back out the design of the HTML control and change the API (so that the *calling application*, not the *HTML control*, has *complete* control over what the object its displaying is allowed to do) this will keep coming up.

            If you can convince the HTML control that you're in the trusted zone, you can do anything you want.

            AND

            The HTML has to *guess* what zone an object is in, based on the location it sees that object in.

            So long as these two things are true, IE and any other program that uses the HTML control will never be secure."

            ****************
            For me, Windows is absolutely not worth the effort or bother to play with. (especially Visa). It's NOT just a matter of where the hackers attention is. Windows and Linux are genetically different.
            Joe.Smetona
      • Now they are getting the attention they (Apple) deserve

        This is so true. The good/bad news is that Apple Etc. has not gotten the attention of the bad guys so apple/Linux like the man on the desert island who is rescued and comes to the big city, he will now get all the colds and have to watch out for the muggers just like the rest of us.
        Apple only has those annoying advertisements to blame for getting that kind of attention.
        Baer
        • but at the end of the day...

          ... for some reason your better off by not using Windows.. theoretically you may be
          right, but in practice you're not.. isn't that what counts?
          Non-Zealand
          • That is based on....

            what experience? The "windoze" days are so far gone that you sound like a fool even saying anything about being worse off with windows. How? OS X and linux have no where near the intelligence built into windows for businesses and home users alike. XP, server2K3, exchange 2K3 shops are rock solid. I suppose that's why there has been an increase in server 2K3 sales, replacing Unix and Linux servers worldwide. Expecially notable is that they are also using IIS 7.0 at a notable increasing rate around the world. Go figure. With the greatness of a linux server, who would switch to Windows server 2K3? Apparantly a LOT of companies<br>
            Also, i work with sites with the setup i mention so I'm talking from real life experience...they were migrated from Unix to NT to win2K to win2K3....solid the whole way. NT 4.0 days were not as easy in terms of system administration, but good and solid when deployed correctly. Now with Active Directory, windows networks are a snap to manage, changing privileges is a 5 minute job once your OUs are setup initially. <br>
            2 things you must do:
            <br>
            1. Make sure no user has more access than they need, including restricting them to only the websites they need for their job.
            That eliminates 95% of all "care and feeding" since people are not playing around and changing settings in control panel etc. Doing this with Group Policy could not be easier...need to lockdown 500 PCs? click, click, drag, drop...Done!
            2. Make sure to setup WSUS (free) if you are not using SMS to manage patch delivery. Once setup..takes one person a day or so to get it setup and the database loaded, you have central control over what patches go out and when. Most sites set to 3:00am and handle machines running jobs all night as exceptions.
            There is very little care to WSUS. Maybe an hour a month total.
            With all other standard security and spam filtering in place you will have a clean network and the most useful software on the planet at your disposal. The main site i work for productivity went up dramatically since the Unix days. They are still using Office 2000 except for Outlook 2003 because an Outlook 2003 volume license comes free with exchange server, so you can load it on all clients w/o paying a dime. That makes for a more robust mail client that works better with a 2k3 domain. The rest of the office apps are fine. They paid 25K in 2000 for the office license. That is around 1000 clients times 7 years at 25k. That is 25 bucks per client to have Office. Spread that cost over 7 years and you get Office 2000 at 3.50 per desktop. Let's see Google's premium apps beat that!! 50 bucks per seat, per year and zdnet has somehow proclaimed it's cheaper going with the less capable Google apps. HA!
            xuniL_z
          • sound like a fool?

            I beg to differ, just look around... I still have to find ONE Mac user that has security
            problems (and everything related to such problems) on the other hand many of my
            Windows friends keep on having the same problems they've been having since the
            introduction of Windows.
            I suppose this is too simplified for you, but in the end it is that simple.
            Non-Zealand
          • Name them.

            Name the "problems" your "friends" keep having with windows. Now remember, if your friends are not the sharpest knives in the drawer, i can't be of much help. Clicking those links in emails from xxxxxxxxxx@xxxxxxx.com is something they will need to figure out. Nobody can cure stupid. <br><br>
            Now if it's something legitimate, tell me what it is please. I'll give you the answer.
            xuniL_z
      • Higher Standard

        In a word, yes. MS should be held to a higher standard. It is 90% of the market, it is the big fat cracker target. MS knows or should know that every black-hat out there is gunning for them. But now that MS is selling it's own add-on security product tell me what is their incentive to close all the loops?

        Call me paranoid by I really do not like the fact that MS is now selling Windows Live OneCare. I see this as HUGE conflict of interest.

        As to proving that other OS do not have as many holes as Windows, well that is proving a negative which is impossible. Secondly each hole in MS has a much bigger footprint because of
        1.) There are many more black-hats out there banging away at those holes
        2.) There are many more users affected by a mal-ware attack.

        If someone puts out a Mal-ware attack that absolutely kills every flavor of Linux out there, who suffers? The desktop Linux cohort is tiny, most of Linux is riding on servers. So an exploit in Linux to do any damage would have to attack servers. An exploit on desktop Linux is the definition of pointless.
        Much the same for OS X, but even more so. Since most mal-ware out there is an .exe file OS X is going to ignore it anyway. Damn few servers out there run Apples x-server. So what would be the point of knocking them down-what kind of black-hat bragging right is that?

        An exploit that takes down the MS Windows world? Now we are talking! Again MS is the 1800 pound gorilla in the IT world. It's good to be the king but being the king means every black-hat out there wants to urinate on your crown.

        As for the Firefox screed, you must be kidding. By tightly bundling IE with Windows MS created a security nightmare. How many exploits posted begin with the work-around "use a browser other than IE." I remember quite a few. I also remember Mozilla being diligent about squishing the bugs in Firefox. I note that MS's was a little less diligent with it's extermination efforts especially in the lull between the challenges offered by Netscape and Firefox. With Firefox add-ons I can further tighten down the security of the browser. Ever heard of Ad-Block or NoScript? They really can help you lock-down the Firefox browser. There is no equivalent to either in IE.
        Even if numbers bugs are the same, which I doubt, that still doesn't speak to the seriousness of the individual bugs. While MS is only releasing 7 patches this Tuesday they are all rated by MS as "critical." Ive lost count of all the MS "we are all gonna die" bugs that have been reported on. At least every month there is some "critical" patch that absolutely needs to be downloaded.
        Again call me paranoid but I see MS putting out fewer patches out on the free site. I see that eventually only the most urgent patches coming out for free. I do see MS slowly shoving us into Windows Live OneCare. Want important patches now? Subscribe to Windows Live OneCare. You can get those important security updates now with Windows Live OneCare or you can wait for our free Monthly, oops Quarterly, oops semiannual, oops next Service Pack update.
        Will you still be defending Redmond when you have to cough up $50.00 per year to Big Bill just so the Black-hats don't rape you silly? And once Symantec and Zone alarm and Panda go the way of Netscape who is going to keep MS honest? Once MS owns the security roost the price of Windows Live OneCare will sky-rocket and the quality of the protection will plummet.
        Yes I'm paranoid, but just because your paranoid doesn't mean they are not out to get you.
        spincitysd@...
        • I totally agree. You seem to have misunderstood me.

          <i> But now that MS is selling it's own add-on security product tell me what is their incentive to close all the loops?
          </i><br><br>
          Easy one. Linux and OS X. If Microsoft doesn't see that threat and the need to build more secure software, they deserve to lose a ton of marketshare, and they will. Total agreement. <br>
          However, about Live OneCare, consider the situation during XP. Nobody on here had a good word for MS security nor NAV or TM or any of the AV vendors. So really MS is only trading blows from one side of the face to the other with this one. Don't you think? Why does Apple lock up their code so tight? The apple ecosystem is pretty small relatively speaking. I don't see anyone saying Apple should open up and let others handle aspects of their OS. Sure they are not the top dog....yet...but shouldn't an ethical company do it right from the beginning? <br>
          <br>
          <i>Secondly each hole in MS has a much bigger footprint because of
          1.) There are many more black-hats out there banging away at <br>those holes<br>
          2.) There are many more users affected by a mal-ware attack.
          </i><br><br>
          I am in total agreement on this one. Now, try to convince the Mac users and many in the Linux community that the marketshare theory is not just a myth. Good luck to ye. <br><br>
          <i>If someone puts out a Mal-ware attack that absolutely kills every flavor of Linux out there, who suffers? The desktop Linux cohort is tiny, most of Linux is riding on servers. So an exploit in Linux to do any damage would have to attack servers. An exploit on desktop Linux is the definition of pointless.
          Much the same for OS X, but even more so. Since most mal-ware out there is an .exe file OS X is going to ignore it anyway. Damn few servers out there run Apples x-server. So what would be the point of knocking them down-what kind of black-hat bragging right is that?<br><br>

          An exploit that takes down the MS Windows world? Now we are talking! Again MS is the 1800 pound gorilla in the IT world. It's good to be the king but being the king means every black-hat out there wants to urinate on your crown.
          </i><br><br>
          Again...i'm in 100% agreement. This just punctuates it further.
          Who are you arguing with here? Or are you just preaching to the choir today? <br><br>
          <i>As for the Firefox screed, you must be kidding. By tightly bundling IE with Windows MS created a security nightmare. How many exploits posted begin with the work-around "use a browser other than IE." I remember quite a few. I also remember Mozilla being diligent about squishing the bugs in Firefox. I note that MS's was a little less diligent with it's extermination efforts especially in the lull between the challenges offered by Netscape and Firefox. With Firefox add-ons I can further tighten down the security of the browser. Ever heard of Ad-Block or NoScript? They really can help you lock-down the Firefox browser. There is no equivalent to either in IE.
          Even if numbers bugs are the same, which I doubt, that still doesn't speak to the seriousness of the individual bugs. While MS is only releasing 7 patches this Tuesday they are all rated by MS as "critical." Ive lost count of all the MS "we are all gonna die" bugs that have been reported on. At least every month there is some "critical" patch that absolutely needs to be downloaded.
          Again call me paranoid but I see MS putting out fewer patches out on the free site. I see that eventually only the most urgent patches coming out for free. I do see MS slowly shoving us into Windows Live OneCare. Want important patches now? Subscribe to Windows Live OneCare. You can get those important security updates now with Windows Live OneCare or you can wait for our free Monthly, oops Quarterly, oops semiannual, oops next Service Pack update.
          Will you still be defending Redmond when you have to cough up $50.00 per year to Big Bill just so the Black-hats don't rape you silly? And once Symantec and Zone alarm and Panda go the way of Netscape who is going to keep MS honest? Once MS owns the security roost the price of Windows Live OneCare will sky-rocket and the quality of the protection will plummet.
          Yes I'm paranoid, but just because your paranoid doesn't mean they are not out to get you.
          <i><br><br>
          I won't go through this point by point, but the reason FF can tighten up quicker from their vulnerabilities (and you kid yourself if you think for sec. they are not as many as on Microsoft. Subscribe to vulnwatch and see how many holes are found for FF, MySQL, Postgres and all flavors of unix and linux yet these are rarely posted on zdnet.com. why? I dunno. I guess zdnet.com is biased toward MS or MS bugs make better news stories. Maybe they figure MS deserves it while Linux should have the advantage to "appear" more secure since they are so small in the market? <br>
          Anyway, everyone knows MS has/had those problems. No sense beating it like a dead horse though. I do believe average users use the Microsoft website. I do believe most users today are many degrees more savvy than they were 5 years ago. They can find a lot of free protectino out there...AVG, Defender..and this is also passed along word of mouth. I've seen this happen at many sites....defender's existence and AVG's existence are spread word of mouth. I've never had malware on any windows box I've ever owned. It's not hard, even for the general public, to take "s-i-m-p-l-e" measures to protect their OS and data. I don't run AV most of the time....in that case it's only a matter of knowing your links are safe and ignoring email you know is not intended for you. Also, you can lock down scripting in IE quite well also. <br>
          Now fast forward to 2007 and IE in protected mode is blocking or mitigating attacks with great success. It may well be more secure than FF and certainly more secure than Safari. So what's the big deal? Vista is coming around. Vendors are seeing the light. Most newer hardware supports Vista very well. It's built on the SDL security model and some think it's slower than XP but it uses RAM differently. That is something you can change. I heard someone complain about dumping in 450 GB to his new Vista machine with indexing on and being upset it took many hours to index that 450GB. Well no kidding. You still have to know your OS and how to use it. Linux people know this. Apple people want something idiot proof but that comes at a cost of flexibility and usability in my mind. In fact, I think Windows has the most usability factor of all 3. That's always been their strength, in betrayal of security. But you can't have both w/o compromising quite a dang bit. Maybe that is why Windows can still so more than Linux in terms of usability. (imho...not stating fact, just opinion). <br>
          Vista was a no win situation for MIcrosoft. keep it like XP and everyone laughs and complains how it's just another XP with maybe some lipstick. Actually take the next large step after XPSP2, and you get incompatibilities and ppl. are slamming MS for that. You can't have a security shift like that w/o any pain. They had to do it...it will be all good in the end. The blowhards on here only like to seize on ANY opportunity to bash Microsoft. Like i said, they would have got it either way and I'm confident you know that. The XP to Vista step, security-wise, was huge for microsoft. They knew they had to stage in security and have been doing this since the NT lineup. And anyone that's paid attention has seeen incremental improvements. XP is well liked, even by some diehard linux people. But it still gets crucified for security related problems. Microsoft had to break ties with some backward compatibility. They had to take the big step. They were getting killed about security, when as you say it was just the blackhats were gunning for them alone, and they knew it would be painful. I'm sure they hoped vendors like intuit would not sit on their collective butts and not get a Vista version of QB ready for launch. Don't you find that very very strange? They built their 2006 version, with all of the Vista tools they needed and then some...but still built it to run on NT up thru XP only? Why? Then they announced their 2007 would be compatible later in 2007. Unbelievable. I think the graphics vendors did the same thing. I wonder if these companies, who've all made tremendous amounts of money from Windows machines, thought MS would back off and allow full backward compatibility in the end.<br>
          I think you worry for nothing. Microsoft does NOT have that kind of stranglehold on the industry anymore. The alternatives are gaining momentum and MS will need to recognize that fact and adjust by building better products, or they will go down.
          The public has been made fully aware of the alternatives and they've gotten a large dose of ANTI-MS on top of it from Jobs at all Apple conferences and commercials to Linux, the FSF and their Vista hate site recruiting those to bash Vista in anyway they can, whereever they can. (such as zdnet.com).
          xuniL_z
  • Microsoft is on top of this.

    Glad to see they are getting quick fixes out next Tuesday. <br>
    <br>
    For those that want to stay on top of Microsoft vulnerabilities, bugs etc....if you are not aware there are newsletters you can subscribe to, for free of course, to get the earliest info on any problems with any microsoft code. Doesn't mean you'll have the fix immediately but you will know where the problems lie ahead of waiting to hear about them here or some other source, the week before they are released. <br>
    Anyone suscribed to the independent vulnwatch? It's a great resource (and why I know that Linux has many many vulnerabilities that never make it into the zdnet.com blogs.)
    xuniL_z
    • wrong

      For people like YOU this may be nice and interesting and all you want, but 99% of
      Windows users will either never know about all this or wont understand it or simply
      has other things to do and don't want to be bothered with it.
      PC's are made for the masses, but people who read and write on these blog are not.
      Non-Zealand
      • Ok

        But why don't those more active in IT, on here, talk about the OSS bugs flying around the security universe on a regular basis then? <br>
        As for the masses, if they run windows update and do minimal other preventative measures, they will be fine. The rest on here is hyperbole from ABMers.
        xuniL_z