News

Microsoft Issues Security Update For Windows, Office

Microsoft Tuesday released its largest security in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE) Windows Messenger and other software

By Gregg Keizer, Computerworld

August 13, 2008 — CSO —

Microsoft Tuesday released its largest security in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer (IE) Windows Messenger and other software.

"Today is a perfect storm of client-side issues," said Amol Sarwate , manger of Qualys Inc.'s vulnerabilities research lab. "Most or all of Microsoft's client-side applications are affected or patched." At least two of the vulnerabilities have already been exploited in the wild, Microsoft acknowledged. Those two, plus another pair, said one security researcher, should be considered "zero-day" bugs since technical details about the flaws had been circulating prior to today.

"It's all about the count today," Sarwate said. "This is the largest update in 2008, and the largest in the last 18 months. We have two that we know have been exploited and four zero-days."

Even though today's updates -- 11 total bulletins, six of which were tagged as "critical," Microsoft's highest threat ranging -- set a 2008 record, Microsoft left one expected fix off the table: Last week, it said it would patch one or more critical flaws in Windows Media Player 11, the version bundled with Windows Vista.

Microsoft has yanked updates at the last minute in the past, and typically cites reliability concerns with the patch or says it was not able to wrap up testing in time. So it did today: "The bulletin has been removed prior to today's bulletin release because of a last minute quality issue," said Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC) in an e-mail.

Of today's 11 updates, two were most anticipated: a patch for a bug in the Snapshot Viewer ActiveX control, which is bundled with Access, Microsoft's database application, and one for a less-critical flaw in Microsoft Word that the company confirmed in a July 8 security advisory . The former was patched by MS08-041 , while the latter was fixed by MS08-042. The Snapshot Viewer and Word vulnerabilities have been exploited by attackers, making them especially important to patch, Sarwate said.

Andrew Storms, director of security operations at security vendor nCircle Network Security Inc., saw two major themes in the massive update. "There's a lot of file parsing vulnerabilities here," he said, " and a ton of replacement bulletins."

File format bugs are not new to Microsoft's software, especially the applications in its Office suite, but the number patched today -- a full dozen altogether -- took him by surprise. "Every Office product got touched today," Storms said. "The good thing is that if Office 2007 [applications] are affected, they're less affected, because the file format changed with that version."