Patch Tuesday: Microsoft to fix five critical security flaws
Summary: Plug everything in and prepare the systems: Patch Tuesday is coming. Microsoft will release patches for nine security vulnerabilities, five of them considered 'critical.'
Microsoft will release nine security patches next week for Windows, Internet Explorer, and Office, along with a splattering of enterprise products, such as Exchange and SQL Server.
Five of the patches are for critical vulnerabilities.
The patches will fix flaws that allow remote code execution, which would give hackers and malware writers access to install malware without user prompts or permission. Microsoft describes 'critical' as an exploit that "could allow code execution without user interaction" such as opening an email or Web page.
Internet Explorer will see its third update in as many months, following security updates in June and July. Typically the software giant updates the browser every other month, but reversed the decision which was welcomed by security experts and firms.
Only Bulletin 6 for Windows refers to an elevation of privilege, which can allow malware to bump the permissions of the user to allow malware to access the far reaches of the operating system's critical files. The rest relate to malware injection to users' machines.
Microsoft doesn't release the full details of the vulnerabilities until patches are made available. This will be the first update for email server Exchange 2007 and 2010 since December 2010.
This should serve as an advisory notice for the upcoming Tuesday, August 14, when the patches are released through the usual update channels.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Wow
remote code execution
Let's face it.
or even more succinctly..
Very strange!!!
I thought it is possible to develop a bug free software NOT.
So you expect that all
What "fixing bugs" means in your world.
You also seem to be under the impression that the code fixes going out each month are reactive to actual incurred incidents, but in fact the vast majority of these fixes are proactively found by MSFT's security team ahead of time, and plugged before it becomes well discovered and exploited.
The fact is, there are tons of crafty ways of discovering and taking advantage of these loopholes in operating systems, not just Windows. All eyes and ears of blackhat malware and virus devs are honed in on Windows because that's where they can make their mark count the most. iOS and OSX very likely have many of these holes large enough to drive a truck through, but is of no concern because nobody's trying to exploit them. Or, rather, not very many....there's increasing evidence now that that's changing.
Announcement of MSFT releasing new vulnerability fixes should be met with favorable response (i.e. the system is that much more secure now than it was before), versus the knee-jerk "omg, they found yet ANOTHER hole in Windows, when will this end?"
Patch for Patch
It's a shame that software patching
Rather it should be viewed with positive connotation in that the software is that much better than it ever was.
Let's face the facts. Massively based software code of millions and millions of lines are going to contains lots of bugs. That's just nature of human error. The real game is finding them, prioritizing them, and stamping them out as fast as possible.
Sometimes this is done proactively well ahead of the user community, and sometimes the user community brings it to light before the developers discover the use cases that were not immediately obvious during the design phase of the software.
Whatever the case may be, it's naive to make the assumption that the dev team is negligent when hearing about release of new patches. Rather they should be commended for finding such problems and addressing them.
The only time I'm critical of the patch writers is when the problem is well-known for a long time before anything is ever done about it.
Haven't had an iPad OS
Restart required
A couple more questions.
--What does "May require restart" mean? The updater or Windows packager can't tell if you have to reboot or not?
--Do you have to restart after applying every patch or you can apply all the patches at once? Reboot cycles were known to bother Windows users in thee past.
Files being used
possible on other systems
It is possible in most cases on other OS's. If an office application is restarted than only the office application might need to be restarted. Moreover, sometimes just a part of an application needs a rest. Say, if I update/install a new elisp library for GNU Emacs, I just load/reload it without restarting my emacs/client server. It concerns Emacs for Windows too, I suppose.
This demonstrates a proper way of writing the code.
Very dangerous unless you are extremely knowledgeable
I know it is very popular to make a big deal about rebooting once a month. If I switched to Linux, I would gain 2 minutes a month in productivity from not having to wait for a reboot. I would lose hours a month trying to figure out exactly which processes I need to end so that the vulnerable libraries get released and the patched libraries get loaded.
That is why Linux has a much higher TCO.
@Todd Jobs
>>I've heard of many reports where people patch their Linux system but don't restart the appropriate parts.
You might have heard many things, however, in most cases, either a user gets notified that restart of the particular application is required (a corresponding icon will pop up on the panel) or a service will be restarted by the updater automatically.
Maybe it's very hard for a Windows habitue to know what to restart, for normal people it is not: if the app X is updated, restart the said app X, duh?
TCO is higher for Linux? Did you "Get the Facts" then?
Wow, you just gave a great example
Ah, I didn't realize Linux was so simple.
Hey, what a coincidence. My friend just called me and said that he updated his glib library. I told him to restart the glib app. I did good, right?
Actually
Less than a minute reinitialize the system /w the new patched libraries.
Why figure out what process to run.. Most services are like this.. Server environment , Ksplice for kernel or patch then restart the process.. On apache you can restart it while letting apache complete the prev threads/processes no downtime.
Thanks for the info
Now we are down to Linux saving me 1 minute a month.
Assuming I lose 0 productivity after switching to Linux, how many minutes will it take me to install Linux, transfer my files and settings, find replacement applications, install those replacement applications, convert my documents and files (if possible) and learn a whole new OS? If I can do that in 12 minutes or less, I'm sold because then it means that the switch will have paid for itself in a year or less.
Let's be honest though, it will take more than 12 minutes. Let's be optimistic and say 6 hours. Now we are talking about a switch that will take 72 years to pay for itself in increased productivity. I don't plan on being alive 72 years from now.
Anything else you want to sell me?
Linus (Mint, Ubuntu) is effortless and doesn't require any worrying.
We've been using Linux for almost 11 years without using any anti-virus and we never had any problems. Absolutely nothing.
The free programs work very well and take the place of the Microsoft programs. LibreOffice comes with Mint and Ubuntu and is very powerful and can be configured to save in all the popular Microsoft formats like .doc, .xls, .mdb, .ppt so it's a great alternative for grade school, high school, or college kids that need reliability and security.
Google Earth, Google Picasa, Gimp (similar to Photoshop) and 33,000 other free programs aree available for installation through the included software manager utility.
Linux, LibreOffice and Microsoft Access *.mdb files?
The "magic" for *.mdb files on Linux is the open-source mdbtools:
http://mdbtools.sourceforge.net/
A number of distros, including Debian and Ubuntu, provide mdbtools packages.