Patch Tuesday Plugs 19 Microsoft Security Holes
Microsoft today issued software updates to plug at least 19 separate security holes in its Windows operating system and other software, including two vulnerabilities that criminals are actively exploiting to take control of Windows PCs. Windows users can install the free updates through the Microsoft Update Web site or via Automatic Updates.
All seven of the patch bundles released today earned "critical" labels, Microsoft's most severe. Critical vulnerabilities are those that provide criminals the ability to gain control over vulnerable machines remotely, the kind that are usually exploitable just by convincing a user to visit a malicious Web site or open a specially crafted e-mail.
Seven of the critical flaws patched today reside in various versions of Microsoft Office products, including one vulnerability in Microsoft Word that bad guys are actively using. The vulnerabilities are present in most versions of Office, including some found in versions of Office designed for use on Mac OS X systems.
The company also issued its first patch for Office 2007. This is significant because Office 2007 was the first product to go through the company's much-touted "security development lifecycle" from inception to market, a process that was designed to reduce the number of vulnerabilities.
Users who have Office 2000 installed will need to visit Microsoft's Office Update site in order to download the Office patches released today. Depending on which installation option you choose, Office 2000 users may also be asked to insert the original Office installation CD during the process.
It would hardly be Patch Tuesday without security updates for Microsoft's Internet Explorer Web browser, and today's patch batch does not disappoint, fixing six critical IE flaws. The IE bundle also corrects vulnerabilities found in IE5 through IE7, as well as IE7 as installed on Windows Vista systems.
As expected, Microsoft pushed out a patch to plug a vulnerability in Windows 2000 Server and Windows Server 2003 systems running the DNS Server Service. Criminal hackers have been exploiting this flaw for the past month to compromise vulnerable systems. Another update mends four separate vulnerabilities in Microsoft Exchange, the company's e-mail server software.
The types of security holes addressed in this month's patches are a good marker for where the bad guys are currently focusing their attention, said Oliver Friedrichs, director of Symantec Security Response.
"We've seen a fairly significant trend toward attacks against desktop applications -- the browsers, Microsoft Word and Excel -- for example," Friedrichs said. "As witnessed by this release, there is no shortage of vulnerabilities to be found in these desktop apps."
Posted by: A | May 9, 2007 7:01 AM | Report abuse
Posted by: Office Question | May 9, 2007 8:06 AM | Report abuse
Posted by: dgc | May 9, 2007 8:18 AM | Report abuse
Posted by: Steve | May 9, 2007 10:29 AM | Report abuse
Posted by: Sally Snyder | May 9, 2007 11:47 AM | Report abuse
Posted by: sue | May 9, 2007 12:27 PM | Report abuse
Posted by: umm.huh | May 9, 2007 4:06 PM | Report abuse
Posted by: garyg | May 9, 2007 4:12 PM | Report abuse
Posted by: TJ | May 9, 2007 8:12 PM | Report abuse
The comments to this entry are closed.