Microsoft Patches: Two for Tuesday
Microsoft today issued a pair of free security updates to fix a couple of problems in its Windows operating system and Microsoft Office software.
The Office update is a fairly large bundle that corrects at least a half-dozen vulnerabilities in most versions of Microsoft Office (including versions of Office for Mac OS X), as well as the Microsoft Works suite, which comes pre-installed on many Windows PCs, depending on the manufacturer. All six of the flaws earned a "critical" rating from Microsoft -- it's most serious, meaning Redmond considers them dangerous enough that a computer worm could use them to spread to vulnerable PCs without any action on the part of the user.
The Office flaws are considered "critical" only for Microsoft Office 2000 and Outlook 2000. The same vulnerabilities on other versions of Office are rated "important," a slightly less dangerous class of flaws Microsoft assigns to those that "whose exploitation could result in compromise of the confidentiality, integrity, or availability of users data, or of the integrity or availability of processing resources." Bottom line: critical or important, don't delay installing these patches if you're using Microsoft Office.
Microsoft also issued an update to correct an "important" vulnerability on Windows Server 2003 and Windows XP systems running Service Pack 1 (that would be any XP user who hasn't upgraded to Service Pack 2 yet). This flaw looks like it could be a little convoluted for attackers to exploit, but according to Microsoft the patch fixes a flaw that has been publicly disclosed, so it's certainly not out of the realm of possibility that the bad guys may have figured out a way to exploit it. Besides, Microsoft says "an attacker who successfully exploited this vulnerability could take complete control of an affected system."
A few notes about applying patches for Microsoft Office. If you are running Office 2000 or Microsoft Works, Microsoft recommends downloading patches from its Office Update page. Users of other affected Office versions should be able to download the patch from the Microsoft Update site.
Keep in mind, however, that these Office updates assume you have been keeping up to date on previous patches for Office products. If you're using an older version of office -- Office 2000 for example -- and you've never once visited Office Update, you will have a fair amount of updating to do before you get to this patch. But don't let that discourage you: If you haven't ever updated your Office software before, now would be an excellent time to take care of that.
Finally, if past experience is any indicator, Office users may need to have their original Microsoft Office installation discs handy while applying patches. This may not be the case for newer versions of Office, but it's always been the case with Office 2000 as far as I can remember.
The comments to this entry are closed.