- 10 IT security companies to watch
- Mobile phone chargers are energy vampires
- Smartphone smackdown: Storm vs. iPhone
- Video game collisions I'd like to see
- Court slams door on sale of spyware
Microsoft Tuesday released its largest security in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE) Windows Messenger and other software.
"Today is a perfect storm of client-side issues," said Amol Sarwate , manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched."
At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs since technical details about the flaws had been circulating prior to today.
"It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days."
Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat ranging -- set a 2008 record, Microsoft left one expected fix off the table: Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista.
Microsoft has yanked updates at the last minute in the past, and typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. So it did today: "The bulletin has been removed prior to today's bulletin release because of a last minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail.
Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory . The former was patched by MS08-041 , while the latter was fixed by MS08-042.
The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said.
Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file parsing vulnerabilities here," he said, " and a ton of replacement bulletins."
Rss FeedRss Feed
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comment