For Microsoft, Patch Tuesday Often Becomes Exploit Thursday
Microsoft releases security updates on the second Tuesday of each month -- a regular schedule the company follows to make it easier for network administrators around to the world to manage all the updating necessary to deploy the fixes on their systems.
Over the past several months news of exploits targeting previously undocumented flaws in Windows and other Microsoft applications have surfaced within hours of each Patch Tuesday. Today, less than 48 hours after Microsoft released a record number of security updates, comes the release of exploit code for yet another Office flaw, this one apparently targeted at PowerPoint files in Office 2003 (no, I'm not going to link to the site hosting the exploit code).
As I've noted before, the Patch Tuesday/Exploit Wednesday (or Thursday) phenomenon gives bad guys the maximum amount of time to use exploits in the wild before Microsoft gets around to its next patch cycle. Redmond occasionally breaks out of that cycle for especially serious or high-profile attacks on unpatched flaws; it has done so twice this year, though neither of those emergency patches dealt with an Office vulnerability.
It is quite clear from the massive number of Office patches issued this week that Microsoft is doing some long overdue code review on its desktop software. So far in 2006, Microsoft has issued patches to address no fewer than 44 distinct vulnerabilities in its Office products, many of them labeled "critical" -- meaning that bad guys can install malicious programs on your machine just by convincing you to open a poisoned document or spreadsheet. By comparison, Microsoft issued just six updates to fix problems in Office last year.
It is also painfully clear that those who would wish to heap harm and embarrassment on Microsoft and its millions of users also are conducting their own audits, and with very effective results. Office flaws have shown themselves to be extremely potent weapons in targeted attacks against organizations (think corporate and government espionage).
Regarding the Office exploit revealed today, a Microsoft spokesperson said the company "is investigating new public reports of a possible vulnerability in Microsoft Office 2003. Microsoft is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary."
While we're on the subject of Office vulnerabilities, it appears Microsoft's Office Update service is still experiencing some hiccups.. I tried to update my Office 2000 installation last night and again this morning and was met with an error message saying the site was experiencing technical difficulties.
Posted by: ML | October 12, 2006 1:31 PM | Report abuse
Posted by: LonerVamp | October 12, 2006 5:31 PM | Report abuse
Posted by: Steve | October 13, 2006 1:22 AM | Report abuse
Posted by: TJ | October 13, 2006 12:53 PM | Report abuse
Posted by: J. Warren | October 13, 2006 1:58 PM | Report abuse
Posted by: J. Warren | October 13, 2006 4:34 PM | Report abuse
Posted by: Michael | October 13, 2006 6:29 PM | Report abuse
Posted by: Steve | October 14, 2006 7:20 AM | Report abuse
Posted by: miron | October 14, 2006 2:52 PM | Report abuse
Posted by: someone | October 14, 2006 3:19 PM | Report abuse
Posted by: na-uh | October 18, 2006 12:21 PM | Report abuse
Posted by: slave to M$ | October 18, 2006 6:22 PM | Report abuse
Posted by: sick of it | October 31, 2006 4:58 AM | Report abuse
The comments to this entry are closed.