IE, Outlook, Word get critical bug fixes

Microsoft has released four critical and two important security updates for its products.

Microsoft has released six security updates for its products, fixing critical flaws in Word, Outlook Express, Internet Explorer (IE) and the Kodak image viewer that ships with Windows.

The updates, released Tuesday, fix nine bugs in Microsoft's products. In addition to the four critical updates, Microsoft also released "important" fixes for the Windows SharePoint collaboration software and in the Windows remote procedure call (RPC) technology.

Nine updates is one less than originally expected. Last Thursday, Microsoft said it was planning to fix an unnamed flaw in Windows 2000 and Windows Server 2003 that could be used for "spoofing." That update was not included in Tuesday's patches.

Microsoft pulled this Windows patch because of a "quality control issue," the company said in a statement. It's not unheard of for Microsoft to make such last-minute decisions. The SharePoint update that was released Tuesday had previously been pulled from the September updates for similar reasons.

Though the Windows RPC flaw apparently cannot be exploited to run unauthorized software on a victim's machine, security experts consider it one of the most important patches released Tuesday. RPC service has been the source of many virulent computer worms in the past, including 2003's Blaster, according to Amol Sarwate, manager of Qualys Inc.'s vulnerability research lab.

"Whenever there is a denial of service there is always a chance of remote code execution," he said. However, even if hackers could find a way to use this bug to run unauthorized software on a PC, RPC is typically blocked at the firewall. This means that even if a worm could be crafted, it would have difficulty spreading.

Sarwate said that the IE patch, which fixes four bugs in the browser, should be moved to the front of the line by system administrators. That's because IE is so widely used and some of the bugs in the browser are very likely to be used in online attacks.

The IE patch is the most critical, agreed Andrew Storms, director of security operations with nCircle Network Security Inc. According to him, an address spoofing flaw that was patched in this update has been known publicly for three months. "The URL spoof has been known since at least July and it's the perfect tool for a phisher," he said via instant message.

As for what Storms would patch after installing the IE update? "Second on my list is pretty much a tie between everything else minus the SharePoint vulnerability," he wrote.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Robert McMillan

IDG News Service

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?