Microsoft patches six 'critical' flaws

Microsoft has released 11 security patches, six of which are "critical" and five of which are "important", according to the software giant.
Written by Robert Vamosi, Contributor and  Tom Espiner, Contributor

Microsoft has released 11 security patches, six of which are "critical" and five of which are "important", according to the software giant.

This month's "Patch Tuesday" did not include a patch that had been promised in Microsoft's advance notification for February 2008. Microsoft could not be reached for comment at the time of writing to say why the patch had not been included.

Most of the critical vulnerabilities addressed in this month's patches affect Office, while one affects Internet Explorer, according to Microsoft's security bulletin summary. One of the critical vulnerabilities, as reported in Microsoft Security Bulletin MS08-008, affects both Microsoft Office 2004 for Mac and Microsoft Visual Basic 6.0 Service Pack 6.

The five "important" patches affect Microsoft Internet Information Services, Windows and Office. All the Windows Vista-related updates will be included with Windows Vista SP1, expected to roll out to consumers in mid to late March.

Tim Rains, security response communications lead for Microsoft, told ZDNet.com.au sister site CNET News.com: "Windows Vista SP1 and Windows Server 2008 are not affected by any of today's bulletins." Neither are yet available to the public.

Microsoft security patches for the vulnerabilities are available via Microsoft Windows Update or Microsoft's February security bulletin summary.

Security vendor Symantec warned that exploits for the vulnerabilities would not require much user interaction to execute.

"While the batch of critical vulnerabilities all require some sort of user interaction to exploit, the interaction can be as simple as visiting a trusted Web site that has first been exploited by an attacker," said Ben Greenbaum, senior research manager at Symantec Security Response.

Security-management company Lumension advised IT administrators to concentrate on patching the vulnerabilities in Office and Internet Explorer first. "Attackers have shown in recent years that they'd rather target applications than go directly for the throat of the operating system, placing pressure on businesses to address the Office and Internet Explorer vulnerabilities," said Alan Bentley, Lumension's European vice president.

Editorial standards