Patch Tuesday heads-up: Critical MS Office patches coming

Patch Tuesday heads-up: Critical MS Office patches coming

Summary: Microsoft plans to release six security bulletins next week to fix at least 15 serious vulnerabilities that could expose Windows users to malicious hacker attacks.

SHARE:

Microsoft plans to release six security bulletins next Tuesday November 10 to fix at least 15 serious vulnerabilities that could expose Windows users to malicious hacker attacks.

According to Microsoft's advance notice for this month's Patch Tuesday, the updates will address gaping holes in the Windows operating system and the Microsoft Office productivity suite.

Three of the six bulletins will be rated "critical," Microsoft's highest severity rating.  The other three will be rated "important."

According to the Redmond, Wash. software maker, the Windows OS vulnerabilities affect Windows 2000, Windows XP, Windows Vista and Windows Server 2003 and Windows Server 2008.

The code execution holes affecting Microsoft Office will apply to Office XP, Office 2003 and the 2007 Office System.

The bulletin will also include patches for serious holes in the Microsoft Excel spreadsheet program.

Microsoft Office for Mac is also affected.

Topics: Operating Systems, Collaboration, Microsoft, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

49 comments
Log in or register to join the discussion
  • Office for Mac also affected...

    So where are the rants from Windows zealots who scream blue murder every time there's a patch for possible exploits of iTunes on Windows?

    Oh, that's right, faulty Microsoft software on OS X must be Apple's fault. Forgot that.
    Fred Fredrickson
    • Marketing

      Microsoft has not built a marketing campaign on
      ridiculing Apple's OS X abysmal security.

      Apple has built a marketing campaign on
      ridiculing Windows security.

      That is the difference, see?

      When Apple chooses to do so and at the same
      time is the vendor of one of a Windows product
      with numerous and very severe security bugs,
      they open themselves up to criticism.

      Everybody know that building totally
      invulnerable software is neigh impossible, at
      least if it has to be affordable and available
      to the market before the sun burns out. That is
      why Microsoft don't beat the security drums.

      When Apple does so and at the same time
      contributes to the instability and insecurity
      of the platform they attack, it is bordering
      recklessness.

      OS X vulnerabilities still outnumber Windows
      vulnerabilities 3 to 1. Despite clever and smug
      marketing, OS X is still much more vulnerable
      than Windows.
      honeymonster
      • microsoft propaganda detected

        OS X has excellent security, based on BSD.

        this is a piece of not-so -well-hidden microsoft propaganda
        ljenux-23043766007667558234416105604265
        • Specifics, please

          The "excellent" security that OS X inherits
          from BSD, what exactly is that?

          Or is that just propaganda?

          OS X has more vulnerabilities, more-risk days,
          is patched slower and has fewer and less
          efficient anti-exploits mechanisms.

          <u>OS X has more (<b>the most</b>)
          vulnerabilities.</u>

          http://www-
          935.ibm.com/services/us/iss/xforce/trendreports
          /xforce-2008-annual-report.pdf
          Read <i>most vulnerable operating systems</i>.
          That's right. OS X has 3 times more
          vulnerabilities compared to Vista. Ugh.

          The raw vulnerabilities:

          http://secunia.com/advisories/product/96/
          http://secunia.com/advisories/product/13223/

          Apple OSX vulnerabilities: 1038
          MS Vista vulnerabilities: 140
          MS Windows XP vulnerabilities: 289.

          <u>OS X has fewer and less efficient anti-
          exploit mechanisms</u>

          Apple's Mac OS 'lagging behind Vista on
          security':
          http://software.silicon.com/malware/0,380000310
          0,39501473,00.htm

          (Charlie Miller should now, he's the one who
          keeps taking down macs at pwn2own - and he is a
          mac user himself!)

          What?s Missing and What?s New in Snow Leopard
          Security Enhancements:
          http://blog.intego.com/2009/08/31/whats-
          missing-and-whats-new-in-snow-leopard-security-
          enhancements/

          <u>More risk days</u>

          Apple again, again and again lets delays
          patches while vulnerability information is in
          the open and Mac users exposed with no
          mitigation.

          http://arstechnica.com/apple/news/2009/06/apple
          -finally-issues-patch-for-critical-java-
          vulnerability.ars

          Apple let that particular Java vuln site for 6
          months while all other platforms had been
          patched and vulnerability information was in
          the open.

          Because of the way Apple assembles OS X from
          many open source components, Apple is
          notoriously late to patch when those components
          are patched elsewhere. That goes for example
          for libxml. At any one time you can find good,
          exploitable vulnerabilities simply by comparing
          version numbers of OS X libraries with those at
          the source.

          The propaganda is entirely coming from Apple.
          And you fell for it! The have successfully made
          an army of fanbois believe a blatant lie.
          honeymonster
          • blah blah...nothing but microsoft propaganda lies

            statistics is the biggest lie.

            and you are using so called "relevant" statistics, nothing but lies, dirty lies.

            microsoft is paying and has payed many research reports that will prove this and that, but how many viruses are for windows and for OS X?

            you cannot hide truth with statistics.

            by the way, i'm not buying into Apple lies, i don't prefer Apple but linux/BSD
            ljenux-23043766007667558234416105604265
          • Wow, that is some really mature arguments

            Glad you don't stoop to childish dismissals.

            Nice to meet someone who is not afraid of re-
            evaluating their opinion when faced with
            inconvenient facts.

            Thanks.
            honeymonster
          • I can't blame him

            Considering you feel so threatened by a minority operating system.
            Wintel BSOD
          • ljenux: "I object!"

            Judge: "Why?"
            ljenux: "Because it's devastating to my case!"

            Really honeymonster... How dare you infect this hallowed ground with your facts and statistics. I mean, presenting a logical argument that accurately debunks the premise of the opposing argument, what's with that?
            Mew-shew
          • Another deflection away from Patch Tuesday

            But go on. Defend the indefensible. Tell us how wrong Ryan Naraine's story really is.
            Wintel BSOD
          • Indefensible?

            Patching is what responsible operating system/application vendors do right?

            Vulnerabilities should be patched. Microsoft products have vulnerabilities. Once a month Microsoft releases patches for these vulnerabilities.

            To be honest I'm strugging to see where "defending the indefensible" applies here. I know you're a troll, but I enjoy pointing out the nonesense regardless.
            Mew-shew
          • Yes, indefensible

            I don't see anywhere where Ryan mentioned Linux in his article. Do you?

            Only when honeymonster does his usual insecurity mode deflection does Linux come up.

            But then, none of these Patch Tuesday bonafide exploits affect Linux, now do they...

            Hmmmm? ;)
            Wintel BSOD
          • So you're arguing that Windows is indefensible...

            ...because honeymonster mentioned linux.

            That's loopy.

            "Defend the indefensible. Tell us how wrong Ryan Naraine's story really is."

            The implication here is, if Ryans story is accurate, Microsoft is at fault and therefore the MS-apologists would need to defend it. The problem is that Ryans story is accurate, and guess what? There's no reason to defend Microsoft. They are taking the appropriate action to maintain the integrity of the product.

            I'm not defending MS. I'm pointing out the stupidty of the comments being made here. How could I defend MS, when there is yet to be a valid criticism leveled at it in this thread?

            If you don't like Windows, thats cool. I totally get it. Each to their own. But if you're going to openly criticise MS and it's products you should try to have some knowledge of the subject matter, and actually come up with an argument based on accurate information.
            Mew-shew
          • @Mew-shew

            <i>"So you're arguing that Windows is
            indefensible because honeymonster mentioned
            linux."</i>

            The irony is... I did not mention Linux. I have
            been going over my posts and looked for it, but
            I didn't mention Linux. Apple and BSD, yes -
            since that was the post I was originally
            responding to. But not Linux.

            honeymonster
          • Nope, your missing my point

            [i]The implication here is, if Ryans story is accurate, Microsoft is at fault and therefore the MS-apologists would need to defend it. The problem is that Ryans story is accurate, and guess what? There's no reason to defend Microsoft. They are taking the appropriate action to maintain the integrity of the product.[/i]

            If that's truly the case, then why bring up red herrings like Linux, Apple or BSD in the first place? Looks like you all were out the front gate from the beginning.

            Given honeymonster's track record here, you can substitute Apple for Linux or vice versa for BSD. They all mean the same to him. One big pile of FUD to spread.

            [i]I'm not defending MS. I'm pointing out the stupidty of the comments being made here. How could I defend MS, when there is yet to be a valid criticism leveled at it in this thread?[/i]

            Yeah, three of those patches are corrections from October's Patch Tuesday:

            [i]"Andrew Clarke, senior VP at patching specialist Lumension, reckons three of the updates due out of Tuesday may also be aimed at tackling glitches with the October patch batch.

            "Microsoft is delivering three critical patches and three important patches, none of which impact Windows 7," Clarke said. "Three of the November patches, however, appear to be updates to or re-releases of patches that were issued last month including Live Communications Server 2005 and Office Communications Server 2007, as well as scenarios involving the usage of Windows Server Update Services or running Microsoft Office Access Runtime 2003."[/i]

            http://www.theregister.co.uk/2009/11/06/ms_nov_patch_tuesday/

            In other words, they screwed it up the first time.

            Maybe they'll get it right this time, huh... lol... :D
            Wintel BSOD
          • This is hilarious

            [i]If that's truly the case, then why bring up red herrings like Linux, Apple or BSD in the first place?[/i]

            This "But you mentioned Linux, Apple or BSD" line seems to be a one-size-fits-all response to any argument in your world. It's pretty funny really, because it consistantly fails to engage the actual subject matter that is the souce of the discussion.

            You might as well be saying "I don't understand, but I disagree anyway."
            Mew-shew
          • Your conclusions are faulty

            If you want to do an proper analysis of operating system security, first
            establish the criteria to be used to define "secure", then set about
            measuring it.

            The secunia reports that you cite state:

            "[i]PLEASE NOTE: The statistics provided should NOT be used to
            compare the overall security of products against one another. It is
            IMPORTANT to understand what the below comments mean when
            using the statistics, especially when using the statistics to compare
            the vulnerability aspects of different products.[/i]"

            In other words, the statistics should not be used for simplistic
            comparisons of product security.

            Your "analysis" of the IBM paper you cite is similarly flawed, the data
            on vulnerabilities is based on [b]disclosed[/b] vulnerabilities (page 40).
            So the higher number of disclosed Mac OS X vulnerabilities could be
            the result of greater diligence at finding them, or more honesty in
            reporting them, or including a wider range of components in the OS,
            or a number of other reasons.

            Some of the vulnerabilities are extremely obscure (e.g. one was in the
            font utility for X11, I would guess that less than 0.1% of OS X installs
            are actually running X11), so a component of the overall measure
            should include possibility that a typical user (say one with default
            settings from a standard install) might be compromised.

            The fact that the Java vulnerability was unfixed for 6 months is
            certainly not good, but does not necessarily reflect on the overall
            security of the OS - that depends on the criteria for "secure". There
            was no known exploit and there was a very simple preventative
            measure to take in the meantime (turn off Java support in your
            browser).

            You might decide to measure security based on actual exploits in the
            wild, or number of machines actually compromised over a certain
            period. Not sure OS X would come out worst if either of those were the
            primary criterion for "secure".
            Fred Fredrickson
          • Nope

            I made sure to cite multiple sources. The
            "crunched" data by a respectable company (IBM)
            in a report which MS <i>did not pay for</i>
            shows the same tendencies as the raw data.

            Your <b>disclosed</b> remark is ridiculous. Of
            course the report is based on disclosed
            vulnerabilities, otherwise they would not be
            known to anyone. Are you somehow suggesting
            that Microsoft keeps vulnerabilities secret?

            Microsoft has a policy of disclosing *all*
            patched vulns. They are not doing so for the
            benefit of statistics but (like this bulletin)
            to empower sys admins to make informed
            decisions. They want to know exactly what would
            be the consequence of *not* allowing a patch.
            yes, some sys admins will value system
            stability (fewer patches) over security if the
            security implications does nor concern them.

            If there is any under-counting going on it is
            with Linux and OS X.

            In case of Linux Linus Torvalds himself has
            stated pretty clearly that he doesn't report
            security bugs. He just fixes them.

            In the case of Apple you can go through their
            bulletins and watch just how many
            "vulnerabilities" is actually "multiple
            vulnerabilities" in a 3rd party library.
            Counted as 1 OS X vuln.

            If OS X vulnerabilities suddenly shot up you
            could claim that it was a concerted effort in
            rooting them out. <b>But it has been like this
            for the last 3 years at least</b>. 3 years
            concerted effort, all while releasing 2
            versions of OS X? BS.

            And the systemic problem remains: Often 3rd
            party libraries are patched and Apple needs to
            start working them into OS X. Until Apple is
            ready with a patch, their customers are left
            hanging out there with known and disclosed
            vulnerabilities.

            And you can not find a <b>single</b> security
            analyst/researcher who will claim that OSX has
            better anti-exploit mechanisms and better
            security. In fact, they unanimously point to
            Microsoft SDL and the better security in
            Windows.
            honeymonster
          • Are you trotting out that IBM FUD report again, @honeymonster?

            The one even you don't believe...

            lol.... :D
            Wintel BSOD
          • That "FUD" report

            Happens to be one of the most respected
            publications in the security industry. From a
            company who does NOT sell Windows security
            software, unlike "reports" from Sophos et. el.

            But even so I made sure to mention the data
            source. I provided links so that you wouldn't
            have to go search. The data clearly show the
            same tendencies as IBM reported.

            It may not coincide with your preconceived
            conclusions, but that alone does not make it
            FUD.
            honeymonster
          • No no no

            The security of an operating system should be measured by how [b]exploitable[/b] it is. Not how many exploits exist.

            "Windows is not as secure as OSX because there are more viruses written to attack Windows"

            Seems fine? Apply the same logic to a different premise...

            "The US Military Defence is not as robust as that of New Zealand, because there are more nations who would might try to attack the U.S.A"

            Pretty ridiculous logic isn't it?
            Mew-shew